Skip to content

Instantly share code, notes, and snippets.

@Shivammalaviya
Last active October 27, 2021 23:16
Show Gist options
  • Save Shivammalaviya/5039c99e472809123e7aa522fd4a0de6 to your computer and use it in GitHub Desktop.
Save Shivammalaviya/5039c99e472809123e7aa522fd4a0de6 to your computer and use it in GitHub Desktop.
let AIPBlacklist = externaldata(Number:string,IP: string,values:dynamic) [@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_blacklist_for_IPs_seen_last_24_hours.csv",
@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_newest_attackers.csv",@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_repeated_attackers.csv"]
with (format="csv",ignoreFirstRecord=true)
| where IP !startswith "#"
| project IP;
AIPBlacklist
| join (DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound")
)
on $left.IP == $right.RemoteIP
| project Timestamp,LocalIP,RemoteIP,DeviceName,RemoteUrl, InitiatingProcessFileName,ActionType
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment