Kusto FireHOL Anonymous Table
Description
This data represents anonymising IP addresses, eg known VPNs and proxies.
Source
Taken from the firehol_anonymous publicly available IP set https://iplists.firehol.org/?ipset=firehol_anonymous
Why should I use this data?
This is a large data set which represents IP addresses which are using anonymising technologies to potentially mask actual source location or provide local MITM protection. It is a large dataset.
Updates
Daily at around 0300UTC. The source data may or may not be updated as regularly.
Perma Link
https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip
Schema
| Column Name | Data Type | Notes |
|---|---|---|
| Source | string | |
| CIDR | string |
Base Kusto Table
externaldata (Source:string, IpAddress:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true)
Base Kusto Function
let AnonymousIPs = externaldata (Source:string, IpAddress:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
Self Contained Kusto
// What ASNs have the most anonymous IPs?
let AnonymousIPs = (externaldata (Source:string, CIDR:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip']
with (ignoreFirstRecord=true));
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
AnonymousIPs
| extend ExampleIpAddress = iif(CIDR contains "/", strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1), CIDR)
| extend NumberOfIPs = iif(CIDR contains "/", pow(2, 32 - toint(split(CIDR, '/')[-1])), 1.0)
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| summarize sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by sum_NumberOfIPs desc
// What ASNs have the most anonymous IPs?
let AnonymousIPs = (externaldata (CIDR:string, Source:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'']
with (ignoreFirstRecord=true));
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
AnonymousIPs
| extend ExampleIpAddress = iif(CIDR contains "/", strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1), CIDR)
| extend NumberOfIPs = iif(CIDR contains "/", pow(2, 32 - toint(split(CIDR, '/')[-1])), 1.0)
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| summarize sum(NumberOfIPs) by CIDRASN, CIDRASNName
| order by sum_NumberOfIPs desc
//Do another so you can copy and paste the Anonymous IP bit, ie have a query with evaluate ipv4_lookup(AnonymousIPs, IpAddress, CIDR, return_unmatched=true)
Microsoft 365 Defender Example
// Given AAD authentictaion events which ones came from anonymous IPs?
// Note AAD contains many mechanisms to protect against this kind of thing
let AnonymousIPs = externaldata (Source:string, CIDR:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
AADSignInEventsBeta
| where Timestamp > ago(6h)
| summarize by IPAddress
| evaluate ipv4_lookup(AnonymousIPs, IPAddress, CIDR, return_unmatched=false)
| join kind=leftouter (AADSignInEventsBeta | where Timestamp > ago(6h) ) on IPAddress
// What connections have we seen inbound from Anonymous IP addresses?
let AnonymousIPs = externaldata (IpAddress:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
DeviceNetworkEvents
| where ActionType == 'InboundConnectionAccepted'
| where RemoteIPType == 'Public'
| summarize by RemoteIP
| evaluate ipv4_lookup(AnonymousIPs, RemoteIP, IpAddress, return_unmatched=false)
Sentinel & Azure Log Analytics Example
// Shows if any administrative activities have been from Anonymous IP addresses
let AnonymousIPs = externaldata (IpAddress:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
AzureActivity
| evaluate ipv4_lookup(AnonymousIPs, CallerIpAddress, IpAddress, return_unmatched=false)