Kusto Bogon Networks Table


This dataset contains non publicly routable IP ranges, eg the RFC1918 ranges.


From the very awesome IETF, IANA and RIR.

Why should I use this data?

It can be used to further enhance other data enrichment methods and represents IP ranges which may be of interest if their existence is unexpected. It may be that in some Kusto environments (eg MDE) this data may natively exist and may not be necessary.


This file is statically generated and will be updated if/as required.



Column Name Data Type Notes
CIDR string
CIDRASNName string

Base Kusto Table

externaldata (CIDR:string, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip'] with (ignoreFirstRecord=true)

Base Kusto Function

let CIDRBogon = externaldata (CIDR:string, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip'] with (ignoreFirstRecord=true);

Self Contained Kusto

// Which Bogon addresses have the most IPs?
let CIDRBogon = (externaldata (CIDR:string, CIDRASNName:string)
with (ignoreFirstRecord=true));
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| order by NumberOfIPs desc

// Checkes if an IP address is in a Bogon space
//*** Variables start
let NumberOfIPsToTest = 100;
//*** Variables end
let CIDRBogon = (externaldata (CIDR:string, CIDRASNName:string)
with (ignoreFirstRecord=true));
let IPsTesting = materialize(
range Position from 1 to (NumberOfIPsToTest) step 1 //Generate x random IP Addresses for testing
| extend IpAddress = strcat(toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255))));
| evaluate ipv4_lookup(CIDRBogon, IpAddress, CIDR, return_unmatched=true)
| extend IsBogon = iif(CIDRASNName startswith 'IETF', true, false)

MDE Example

Coming soon. But this may not be necessary since this data is included in MDE tables by default.

Sentinel & Azure Log Analytics Example

// What logon events have we seen from non-Bogon networks, ie authentications over the internet
let CIDRBogon = (externaldata (CIDR:string, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-bogon.csv.zip'] with (ignoreFirstRecord=true));
| where EventID == 4624
| where IpAddress has '.' //Exclude IPv6
| evaluate ipv4_lookup(CIDRBogon, IpAddress, CIDR, return_unmatched=true)
| where isnotempty(CIDRASNName)
| summarize count() by IpAddress