Skip to content

Instantly share code, notes, and snippets.

@alexverboon

alexverboon/c2threadview_io_kql.md

Last active June 30, 2023 15:54
Show Gist options
  • Save alexverboon/da32a927a96e71ed9fbfbd4e46e1a72f to your computer and use it in GitHub Desktop.
Save alexverboon/da32a927a96e71ed9fbfbd4e46e1a72f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
c2threadview_io_kql.md

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io

https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment

Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/

// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
let C2Hunt = (externaldata(entry: string,values:dynamic) [@"https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt"]
with (format="txt",ignoreFirstRecord=true))
| where entry !startswith "#"
| extend data = parse_csv(entry)
| extend C2IP = tostring(data[0])
| extend Date = toint(data[1])
| extend C2Host = tostring(data[2])
| extend C2Protocol = tostring(data[3])
| extend C2Beacon = tostring(data[4])
| extend Config = tostring(data[5])
| extend Comment = tostring(data[6])
| project-away ['data']
| where C2IP != ""
;
C2Hunt
| join (DeviceNetworkEvents
// | where ActionType =="ConnectionSuccess"
) 
on $left.C2IP == $right.RemoteIP
| project TimeGenerated, C2IP, RemoteIP, DeviceName, RemoteUrl, InitiatingProcessFileName, C2Beacon, C2Host
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment