forked from Bert-JanP/Hunting-Queries-Detection-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
23 changed files
with
378 additions
and
0 deletions.
There are no files selected for viewing
8 changes: 8 additions & 0 deletions
8
MISP/Feeds/Defender For Endpoint/MISP-CVE-MetasploitExploits.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| let MetaSploitExploitsWithAssignedCVE = externaldata(cveid: string)[@"https://feeds.ecrimelabs.net/data/metasploit-cve"] with (format="txt", ignoreFirstRecord=True); | ||
| DeviceTvmSoftwareVulnerabilities | ||
| | where CveId in~ (MetaSploitExploitsWithAssignedCVE) | ||
| | summarize | ||
| TotalVulnerabilities = dcount(CveId), | ||
| Vulnerabilities = make_set(CveId) | ||
| by DeviceName | ||
| | sort by TotalVulnerabilities |
21 changes: 21 additions & 0 deletions
21
MISP/Feeds/Defender For Endpoint/MISP-IP-AbuseCH-IPBlocklist.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| let MISPFeed = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where IP matches regex IPRegex | ||
| | distinct IP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder | ||
| Timestamp, | ||
| ActionType, | ||
| RemoteIP, | ||
| RemotePort, | ||
| LocalPort, | ||
| Protocol, | ||
| DeviceName, | ||
| InitiatingProcessCommandLine, | ||
| InitiatingProcessFolderPath |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://lists.blocklist.de/lists/all.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://cinsscore.com/list/ci-badguys.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
15 changes: 15 additions & 0 deletions
15
MISP/Feeds/Defender For Endpoint/MISP-IP-DiamondFoxPanels.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| let MISPFeed = externaldata(Row: string)[@"https://raw.githubusercontent.com/pan-unit42/iocs/master/diamondfox/diamondfox_panels.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| // extract the url or ip from a website https://10.10.10.10/malware.exe will return 10.10.10.10 and https://malicious.zip/malware.exe will return malicious.zip | ||
| | extend DomainOrIP = extract(@'//(.*?)/', 1, Row) | ||
| | extend DomainOrIPToLower = tolower(DomainOrIP) | ||
| | where DomainOrIPToLower matches regex IPRegex | ||
| | distinct DomainOrIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
13 changes: 13 additions & 0 deletions
13
MISP/Feeds/Defender For Endpoint/MISP-IP-FeodoIPBlocklist.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| let MISPFeed = externaldata(Row: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.csv"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | extend IP = extract(IPRegex, 0, Row) | ||
| | where isnotempty(IP) | ||
| | distinct IP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/2.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
12 changes: 12 additions & 0 deletions
12
MISP/Feeds/Defender For Endpoint/MISP-IP-MiraiSecurity.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://mirai.security.gives/data/ip_list.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| let MISPFeed = externaldata(DestIP: string)[@"https://rules.emergingthreats.net/blockrules/compromised-ips.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousIP = materialize ( | ||
| MISPFeed | ||
| | where DestIP matches regex IPRegex | ||
| | distinct DestIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP in (MaliciousIP) | ||
| | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | ||
| | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
9 changes: 9 additions & 0 deletions
9
MISP/Feeds/Defender For Endpoint/MISP-MD5-AbuseCH-MalwareMD5.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| let MISPFeed = externaldata(MD5: string)[@"https://bazaar.abuse.ch/export/txt/md5/recent"] with (format="txt", ignoreFirstRecord=True); | ||
| let MD5Regex = '[a-f0-9]{32}'; | ||
| let MaliciousMD5 = materialize ( | ||
| MISPFeed | ||
| | where MD5 matches regex MD5Regex | ||
| | distinct MD5 | ||
| ); | ||
| DeviceFileEvents | ||
| | where MD5 has_any (MaliciousMD5) |
13 changes: 13 additions & 0 deletions
13
MISP/Feeds/Defender For Endpoint/MISP-URL-DiamondFoxPanels.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| let MISPFeed = externaldata(Row: string)[@"https://raw.githubusercontent.com/pan-unit42/iocs/master/diamondfox/diamondfox_panels.txt"] with (format="txt", ignoreFirstRecord=True); | ||
| let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | ||
| let MaliciousDomain = materialize ( | ||
| MISPFeed | ||
| // extract the url or ip from a website https://10.10.10.10/malware.exe will return 10.10.10.10 and https://malicious.zip/malware.exe will return malicious.zip | ||
| | extend DomainOrIP = extract(@'//(.*?)/', 1, Row) | ||
| | extend DomainOrIPToLower = tolower(DomainOrIP) | ||
| | where not(DomainOrIPToLower matches regex IPRegex) | ||
| | distinct DomainOrIP | ||
| ); | ||
| DeviceNetworkEvents | ||
| | where RemoteIP has_any (MaliciousDomain) | ||
| | project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName |
Oops, something went wrong.