Kusto Bogon Networks Table
Description
This dataset contains non publicly routable IP ranges, eg the RFC1918 ranges.
Source
From the very awesome IETF, IANA and RIR.
Why should I use this data?
It can be used to further enhance other data enrichment methods and represents IP ranges which may be of interest if their existence is unexpected. It may be that in some Kusto environments (eg MDE) this data may natively exist and may not be necessary.
Updates
This file is statically generated and will be updated if/as required.
Perma Link
https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip
Schema
| Column Name | Data Type | Notes |
|---|---|---|
| CIDR | string | |
| CIDRASNName | string |
Base Kusto Table
externaldata (CIDR:string, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip'] with (ignoreFirstRecord=true)
Base Kusto Function
let CIDRBogon = externaldata (CIDR:string, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip'] with (ignoreFirstRecord=true);
Self Contained Kusto
// Which Bogon addresses have the most IPs?
let CIDRBogon = (externaldata (CIDR:string, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip']
with (ignoreFirstRecord=true));
CIDRBogon
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| order by NumberOfIPs desc
// Checkes if an IP address is in a Bogon space
//*** Variables start
let NumberOfIPsToTest = 100;
//*** Variables end
let CIDRBogon = (externaldata (CIDR:string, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip']
with (ignoreFirstRecord=true));
let IPsTesting = materialize(
range Position from 1 to (NumberOfIPsToTest) step 1 //Generate x random IP Addresses for testing
| extend IpAddress = strcat(toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255))));
IPsTesting
| evaluate ipv4_lookup(CIDRBogon, IpAddress, CIDR, return_unmatched=true)
| extend IsBogon = iif(CIDRASNName startswith 'IETF', true, false)
MDE Example
Coming soon. But this may not be necessary since this data is included in MDE tables by default.
Sentinel & Azure Log Analytics Example
// What logon events have we seen from non-Bogon networks, ie authentications over the internet
let CIDRBogon = (externaldata (CIDR:string, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip'] with (ignoreFirstRecord=true));
SecurityEvent
| where EventID == 4624
| where IpAddress has '.' //Exclude IPv6
| evaluate ipv4_lookup(CIDRBogon, IpAddress, CIDR, return_unmatched=true)
| where isnotempty(CIDRASNName)
| summarize count() by IpAddress