Kusto FireHOL Anonymous Table

Description


This data represents anonymising IP addresses, eg known VPNs and proxies.

Source


Taken from the firehol_anonymous publicly available IP set https://iplists.firehol.org/?ipset=firehol_anonymous

Why should I use this data?


This is a large data set which represents IP addresses which are using anonymising technologies to potentially mask actual source location or provide local MITM protection. It is a large dataset.

Updates


Daily at around 0300UTC. The source data may or may not be updated as regularly.


https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip

Schema


Column Name Data Type Notes
Source string
CIDR string

Base Kusto Table


externaldata (Source:string, IpAddress:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true)

Base Kusto Function


let AnonymousIPs = externaldata (Source:string, IpAddress:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);

Self Contained Kusto



// What ASNs have the most anonymous IPs?
let AnonymousIPs = (externaldata (Source:string, CIDR:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip']
with (ignoreFirstRecord=true));
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
AnonymousIPs
| extend ExampleIpAddress = iif(CIDR contains "/", strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1), CIDR)
| extend NumberOfIPs = iif(CIDR contains "/", pow(2, 32 - toint(split(CIDR, '/')[-1])), 1.0)
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| summarize sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by sum_NumberOfIPs desc 


// What ASNs have the most anonymous IPs?
let AnonymousIPs = (externaldata (CIDR:string, Source:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip']
with (ignoreFirstRecord=true));
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
AnonymousIPs
| extend ExampleIpAddress = iif(CIDR contains "/", strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1), CIDR)
| extend NumberOfIPs = iif(CIDR contains "/", pow(2, 32 - toint(split(CIDR, '/')[-1])), 1.0)
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| summarize sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by sum_NumberOfIPs desc 


//Do another so you can copy and paste the Anonymous IP bit, ie have a query with evaluate ipv4_lookup(AnonymousIPs, IpAddress, CIDR, return_unmatched=true)

Microsoft 365 Defender Example



// Given AAD authentictaion events which ones came from anonymous IPs?
// Note AAD contains many mechanisms to protect against this kind of thing
let AnonymousIPs = externaldata (Source:string, CIDR:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
AADSignInEventsBeta
| where Timestamp > ago(6h)
| summarize by IPAddress
| evaluate ipv4_lookup(AnonymousIPs, IPAddress, CIDR, return_unmatched=false)
| join kind=leftouter (AADSignInEventsBeta | where Timestamp > ago(6h) ) on IPAddress


// What connections have we seen inbound from Anonymous IP addresses?
let AnonymousIPs = externaldata (IpAddress:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
DeviceNetworkEvents
| where ActionType == 'InboundConnectionAccepted'
| where RemoteIPType == 'Public'
| summarize by RemoteIP
| evaluate ipv4_lookup(AnonymousIPs, RemoteIP, IpAddress, return_unmatched=false)

Sentinel & Azure Log Analytics Example



// Shows if any administrative activities have been from Anonymous IP addresses
let AnonymousIPs = externaldata (IpAddress:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
AzureActivity
| evaluate ipv4_lookup(AnonymousIPs, CallerIpAddress, IpAddress, return_unmatched=false)