forked from Bert-JanP/Hunting-Queries-Detection-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
MISP-IP-DiamondFoxPanels.txt
15 lines (15 loc) · 1.11 KB
/
MISP-IP-DiamondFoxPanels.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
let MISPFeed = externaldata(Row: string)[@"https://raw.githubusercontent.com/pan-unit42/iocs/master/diamondfox/diamondfox_panels.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
MISPFeed
// extract the url or ip from a website https://10.10.10.10/malware.exe will return 10.10.10.10 and https://malicious.zip/malware.exe will return malicious.zip
| extend DomainOrIP = extract(@'//(.*?)/', 1, Row)
| extend DomainOrIPToLower = tolower(DomainOrIP)
| where DomainOrIPToLower matches regex IPRegex
| distinct DomainOrIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName