Tracking Proton66 Activity With KQL
Query
// https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where ipv4_is_in_any_range(RemoteIP, '45.135.232.0/24', '91.212.166.0/24', '193.143.1.0/24', '45.140.17.0/24', '45.134.26.0/24')
| where ActionType has "ConnectionSuccess" or ActionType has "InboundConnectionAccepted"
| summarize NoOfHits=count() by DeviceName, ActionType, RemoteIP
| sort by NoOfHits descExplanation
This query is analyzing network events from devices over the past 90 days. It focuses on events where the remote IP address falls within specific ranges associated with potentially suspicious activity. The query filters for events where a connection was successfully made or an inbound connection was accepted. It then counts the number of such events for each device, action type, and remote IP address, and sorts the results by the number of occurrences in descending order. This helps identify devices that have had the most interactions with these IP ranges, potentially indicating compromised or targeted systems.
Details

Steven Lim
Released: April 21, 2025
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsTimeGeneratedRemoteIPActionTypeName
Operators
DeviceNetworkEventswhereipv4_is_in_any_rangehasorsummarizecountbysortdesc