MontySecurity C2 Tracker All IPs
TI Feed Monty Security C2 Tracker All I Ps
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
MontySecurity C2 Tracker All IPs
Source: MontySecurity
Feed information: https://github.com/montysecurity/C2-Tracker
Feed link: https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt
Defender XDR
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify and provide information about potentially malicious IP addresses from a threat intelligence feed, specifically the MontySecurity C2 Tracker. Here's a simple breakdown of what the query does:
-
Data Source: The query uses an external data source, which is a text file containing a list of IP addresses. This file is hosted on GitHub by MontySecurity.
-
IP Extraction: It extracts IP addresses from the data using a regular expression that matches standard IPv4 address formats.
-
Malicious IP Identification: The query identifies distinct IP addresses from the feed that match the IP format.
-
Network Event Filtering: It then checks network events to see if any of these identified IP addresses appear as remote IPs in the network events.
-
Geolocation Information: For any matching network events, the query retrieves geolocation information for the remote IPs, including country, state, city, latitude, and longitude.
-
Output: Finally, it organizes the output to show relevant details such as the timestamp of the event, device name, remote IP and port, and the account name of the process that initiated the connection.
The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the naming of the timestamp field (Timestamp vs. TimeGenerated).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators