Kusto ASN Table
Description
This data gives ASN Number and ASN name for any given IP addresses.
Source
The excellent GeoLite2 ASN from MaxMind.
This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
Why should I use this data?
Allows the ability to track IP addresses across service providers as well as investigate the whole address space for specific details.
Updates
Daily at around 0300UTC. The source data may or may not be updated as regularly.
Perma Link
https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip
Schema
| Column Name | Data Type | Notes |
|---|---|---|
| CIDR | string | |
| CIDRASN | int | |
| CIDRASNName | string | |
| CIDRSource | string |
Base Kusto Table
externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true)
Base Kusto Function
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
Self Contained Kusto
// ASN POC
// Test randomly generated IP addresses
//*** Variables start
let NumberOfIPsToTest = 100;
//*** Variables end
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let IPsTesting = materialize(
range Position from 1 to (NumberOfIPsToTest) step 1 //Generate x random IP Addresses for testing
| extend IpAddress = strcat(toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255))));
IPsTesting
| evaluate ipv4_lookup(CIDRASN, IpAddress, CIDR, return_unmatched=true)
| order by Position asc
// Shows ASN registered to specifc names and shows geographical details
// *** Variables start
let NamesToSearch = dynamic(['Google', 'Alphabet']);
// *** Variables end
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
let CIDRRanges = (externaldata (CIDRCountry:string, CIDR:string, CIDRCountryName:string, CIDRContinent:string, CIDRContinentName:string, CIDRSource:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-countries.csv.zip']
with (ignoreFirstRecord=true));
CIDRASN
| where CIDRASNName has_any (NamesToSearch)
| extend ExampleIpAddress = strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1) //Generate a single IP address not a Network Address
| evaluate ipv4_lookup(CIDRRanges, ExampleIpAddress, CIDR, return_unmatched=true)
| project-away *1
| order by parse_ipv4(ExampleIpAddress) asc
// Which ASN Owners have the most IP address?
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
CIDRASN
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| summarize TotalIPs = sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by TotalIPs desc
MDE Example
// What connections have we seen to a specified ASN?
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, CIDRSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
let CIDRASNOfInterest = CIDRASN
| where CIDRASN == 3214;
DeviceNetworkEvents
| evaluate ipv4_lookup(CIDRASNOfInterest, RemoteIP, CIDR, return_unmatched=false)
Sentinel & Azure Log Analytics Example
Coming soon.