Kusto ASN Table
Description
This data gives ASN Number and ASN name for any given IP addresses.
Source
The excellent GeoLite2 ASN from MaxMind.
This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
Why should I use this data?
Allows the ability to track IP addresses across service providers as well as investigate the whole address space for specific details.
Updates
Daily at around 0300UTC. The source data may or may not be updated as regularly.
Note on Previous Deprecation Notice
This dataset was set to be disabled on 1 July 2024 due to massive amounts of traffic (~1TB per day) which was risking my standing with my hosting provider. I have since dual hosted this dataset here and also on https://github.com/gypthecat/maxmind-kusto and redirected all Kusto related downloads to GitHub away from this site. This data will continue to remain available dependant on my standing with hosting providers.
If you are implementing this dataset in your functions please continue to use the Perma Link below.
Perma Link
https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip
Schema
| Column Name | Data Type | Notes |
|---|---|---|
| CIDR | string | |
| CIDRASN | int | |
| CIDRASNName | string | |
| CIDRSource | string | Always MaxMind |
Base Kusto Table
externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true)
Base Kusto Function
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
Self Contained Kusto
// Look at specific IP addresses for ASNs and Country location
let IPsOfInterest = datatable(IpAddress:string) [
"1.1.1.1",
"8.8.8.8"
];
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
IPsOfInterest
| evaluate ipv4_lookup(CIDRASN, IpAddress, CIDR, return_unmatched=true)
| extend Country = tostring(geo_info_from_ip_address(IpAddress)['country'])
// ASN POC
// Test randomly generated IP addresses
//*** Variables start
let NumberOfIPsToTest = 100;
//*** Variables end
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let IPsTesting = materialize(
range Position from 1 to (NumberOfIPsToTest) step 1 //Generate x random IP Addresses for testing
| extend IpAddress = strcat(toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255))));
IPsTesting
| evaluate ipv4_lookup(CIDRASN, IpAddress, CIDR, return_unmatched=true)
| order by Position asc
// Shows ASN registered to specifc names and shows geographical details
// *** Variables start
let NamesToSearch = dynamic(['Google', 'Alphabet']);
// *** Variables end
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let CIDRRanges = (externaldata (CIDRCountry:string, CIDR:string, CIDRCountryName:string, CIDRContinent:string, CIDRContinentName:string, CIDRSource:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-countries.csv.zip']
with (ignoreFirstRecord=true));
CIDRASN
| where CIDRASNName has_any (NamesToSearch)
| extend ExampleIpAddress = strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1) //Generate a single IP address not a Network Address
| evaluate ipv4_lookup(CIDRRanges, ExampleIpAddress, CIDR, return_unmatched=true)
| project-away *1
| order by parse_ipv4(ExampleIpAddress) asc
// Which ASN Owners have the most IP address?
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
CIDRASN
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| summarize TotalIPs = sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by TotalIPs desc
MDE Example
// What connections have we seen to a specified ASN?
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
let CIDRASNOfInterest = CIDRASN
| where CIDRASN == 3214;
DeviceNetworkEvents
| evaluate ipv4_lookup(CIDRASNOfInterest, RemoteIP, CIDR, return_unmatched=false)
Sentinel & Azure Log Analytics Example
Coming soon.