forked from Bert-JanP/Hunting-Queries-Detection-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CEF-MultiSource-IP.txt
87 lines (87 loc) · 4.76 KB
/
CEF-MultiSource-IP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
// Name: Deepak Kumar Ray
// Twitter: https://twitter.com/roydeepakku
// LinkedIn: https://www.linkedin.com/in/deepak2/
let MISPFeed1 = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt"] with (format="txt", ignoreFirstRecord=True);
let MISPFeed2 = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt"] with (format="txt", ignoreFirstRecord=True);
let MISPFeed3 = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt"] with (format="txt", ignoreFirstRecord=True);
let MiraiFeed = externaldata(DestIP: string)[@"https://mirai.security.gives/data/ip_list.txt"] with (format="txt", ignoreFirstRecord=True);
let ProofPointFeed = externaldata(DestIP: string)[@"https://rules.emergingthreats.net/blockrules/compromised-ips.txt"] with (format="txt", ignoreFirstRecord=True);
let FeodoFeed = externaldata(Row: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.csv"] with (format="txt", ignoreFirstRecord=True);
let DiamondFoxFeed = externaldata(Row: string)[@"https://raw.githubusercontent.com/pan-unit42/iocs/master/diamondfox/diamondfox_panels.txt"] with (format="txt", ignoreFirstRecord=True);
let CINFeed = externaldata(DestIP: string)[@"https://cinsscore.com/list/ci-badguys.txt"] with (format="txt", ignoreFirstRecord=True);
let blocklistdeFeed = externaldata(DestIP: string)[@"https://lists.blocklist.de/lists/all.txt"] with (format="txt", ignoreFirstRecord=True);
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let DigitalsideFeed = externaldata(DestIP: string)[@"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt"] with (format="txt", ignoreFirstRecord=True);
let MontySecurityFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP1 = materialize (
MISPFeed1
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP2 = materialize (
MISPFeed2
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP3 = materialize (
MISPFeed3
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP4 = materialize (
MiraiFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP5 = materialize (
ProofPointFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP6 = materialize (
FeodoFeed
| extend IP = extract(IPRegex, 0, Row)
| where isnotempty(IP)
| distinct IP
);
let MaliciousIP7 = materialize (
DiamondFoxFeed
| extend DomainOrIP = extract(@'//(.*?)/', 1, Row)
| extend DomainOrIPToLower = tolower(DomainOrIP)
| where DomainOrIPToLower matches regex IPRegex
| distinct DomainOrIP
);
let MaliciousIP8 = materialize (
CINFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP9 = materialize (
blocklistdeFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP10 = C2IntelFeeds
| project IP;
let MaliciousIP11 = materialize (
DigitalsideFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
let MaliciousIP12 = materialize (
MontySecurityFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
CommonSecurityLog
| extend rawlogs = split(AdditionalExtensions, ";")
| extend action = tostring(rawlogs[6])
| extend DeviceAction = extract("(.*?)#", 1, action)
| where SourceIP in (MaliciousIP1) or SourceIP in (MaliciousIP2) or SourceIP in (MaliciousIP3) or DestinationIP in (MaliciousIP1) or DestinationIP in (MaliciousIP2) or DestinationIP in (MaliciousIP3) or SourceIP in (MaliciousIP4) or SourceIP in (MaliciousIP5) or SourceIP in (MaliciousIP6) or SourceIP in (MaliciousIP7) or SourceIP in (MaliciousIP8) or SourceIP in (MaliciousIP9) or SourceIP in (MaliciousIP10) or SourceIP in (MaliciousIP11) or SourceIP in (MaliciousIP12)
| where DeviceAction == "allow"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| summarize Total = count() by SourceIP, DeviceAction, DeviceProduct
| where Total >=10
| sort by Total