Skip to content

Instantly share code, notes, and snippets.

@tuantmb
Forked from Shivammalaviya/Threat Hunting with AIP
Created October 27, 2021 23:16
Show Gist options
  • Save tuantmb/6457d6e9168fd764c74179222319b0cc to your computer and use it in GitHub Desktop.
Save tuantmb/6457d6e9168fd764c74179222319b0cc to your computer and use it in GitHub Desktop.
let AIPBlacklist = externaldata(Number:string,IP: string,values:dynamic) [@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_blacklist_for_IPs_seen_last_24_hours.csv",
@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_newest_attackers.csv",@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_repeated_attackers.csv"]
with (format="csv",ignoreFirstRecord=true)
| where IP !startswith "#"
| project IP;
AIPBlacklist
| join (DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound")
)
on $left.IP == $right.RemoteIP
| project Timestamp,LocalIP,RemoteIP,DeviceName,RemoteUrl, InitiatingProcessFileName,ActionType
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment