This project takes ASN and geographic IP data from MaxMind daily and formats it in a way that is useful and appropiate for Microsoft KQL/Kusto applications. It then hosts these external datatables on GitHub for public use. Appropiate products include Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor, Azure Log Analytics and Azure Data Explorer.
Output data and generation code is provided under Creative Commons Attribution-ShareAlike 4.0 International License.
This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
Allows the ability to track IP addresses across service providers as well as investigate the whole address space for specific details.
https://github.com/gypthecat/maxmind-kusto/releases/tag/daily-run
https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn.csv.zip
https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn.parquet
https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn-ipv6.csv.zip
https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn-ipv6.parquet
https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-countries.csv.zip
https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-countries.parquet
| Column Name | Data Type | Notes |
|---|---|---|
| CIDR | string | |
| CIDRASN | int | |
| CIDRASNName | string | |
| CIDRSource | string | Always MaxMind |
| Column Name | Data Type | Notes |
|---|---|---|
| CIDRCountry | string | |
| CIDR | string | |
| CIDRCountryName | string | |
| CIDRContinent | string | |
| CIDRContinentName | string | |
| CIDRSource | string | Always MaxMind |
externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true)
externaldata (CIDRCountry:string, CIDR:string, CIDRCountryName:string, CIDRContinent:string, CIDRContinentName:string, CIDRSource:string) ['https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-countries.csv.zip'] with (ignoreFirstRecord=true)
// Which ASN Owners have the most IP address?
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
CIDRASN
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| summarize TotalIPs = sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by TotalIPs desc
// Comparing inbuilt Kusto geo functions and external records what is the delta?
// Note: This just helps clarify the difficulties in using such threat intelligence
// Note: If CIDR blocks have been split these won't necessarily be picked up
externaldata (CIDRCountry:string, CIDR:string, CIDRCountryName:string, CIDRContinent:string, CIDRContinentName:string, CIDRSource:string) ['https://github.com/gypthecat/maxmind-kusto/releases/download/daily-run/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true)
| extend IndicativeIpAddress = tostring(split(CIDR, '/')[0])
| extend CountryName = geo_info_from_ip_address(IndicativeIpAddress)['country']
| where CIDRCountryName !in ('IETF', '') and CountryName !in ('') and CIDRCountryName != CountryName
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| extend Countries = bag_pack("Countries", array_sort_asc(pack_array(CIDRCountryName, CountryName)))
| summarize NumberOfIPs = sum(NumberOfIPs) by tostring(Countries)
| render piechart
Instructions coming soon. //Taking a little longer than expected, apologies for that.
This dataset is simultaneously hosted on https://firewalliplists.gypthecat.com.
#MicrosoftEmployee yet all code regardless of quality and suitability is entirely on me, comments and verbiage entirely my own as a personal pet project.