tuantmb/Threat Hunting with AIP

## Threat Hunting with AIP
let AIPBlacklist = externaldata(Number:string,IP: string,values:dynamic) [@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_blacklist_for_IPs_seen_last_24_hours.csv",
@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_newest_attackers.csv",@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_repeated_attackers.csv"]
with (format="csv",ignoreFirstRecord=true)
| where IP !startswith "#"
| project IP;
AIPBlacklist
| join (DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound")
)
on $left.IP == $right.RemoteIP
| project Timestamp,LocalIP,RemoteIP,DeviceName,RemoteUrl, InitiatingProcessFileName,ActionType
	let AIPBlacklist = externaldata(Number:string,IP: string,values:dynamic) [@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_blacklist_for_IPs_seen_last_24_hours.csv",
	@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_newest_attackers.csv",@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_repeated_attackers.csv"]
	with (format="csv",ignoreFirstRecord=true)
	\| where IP !startswith "#"
	\| project IP;
	AIPBlacklist
	\| join (DeviceNetworkEvents
	\| where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound")
	)
	on $left.IP == $right.RemoteIP
	\| project Timestamp,LocalIP,RemoteIP,DeviceName,RemoteUrl, InitiatingProcessFileName,ActionType