Kusto FireHOL Data Center Table
Description
This data represents address blocks for data centers and data processing ranges.
Source
Taken from the FireHOL datacenters publicly available IP set https://iplists.firehol.org/?ipset=datacenters
Why should I use this data?
This is a data set that contains IP ranges where it is unlikely that activity conducted from there would be normal user activity. This data set combined with ASN or Geographical data could provide additional useful insights.
Updates
Daily at around 0300UTC. The source data may or may not be updated as regularly.
Perma Link
https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip
Schema
Column Name | Data Type | Notes |
---|---|---|
CIDR | string | |
Source | string | Always firehol.org |
Base Kusto Table
externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true)
Base Kusto Function
let DataCenters = externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
Self Contained Kusto
// Are a list of given IP addresses in data centers?
let DataCenters = externaldata (CIDR:string, DataCenterSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
let DataCentersComplete = DataCenters
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| extend ExampleIpAddress = strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1) //Generate a single IP address not a Network Address
| extend Country = tostring(geo_info_from_ip_address(ExampleIpAddress)['country'])
| extend CIDRASN = coalesce(CIDRASNName, 'Unknown Data Center');
let IPsOfInterest = datatable(IpAddress:string) [
'3.1.1.1', //Random IP addresses I've picked for demo purposes only, they do not mean anything at all
'104.208.1.1',
'107.248.1.1'
];
IPsOfInterest
| evaluate ipv4_lookup(DataCentersComplete, IpAddress, CIDR, return_unmatched=true)
Microsoft 365 Defender Example
// What Entra ID logons have we seen from Data Center locations?
let DataCenters = externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
let IPAddressesOfInterest = materialize( AADSignInEventsBeta
| summarize by IPAddress
| where IPAddress has '.'
| evaluate ipv4_lookup(DataCenters, IPAddress, CIDR)
| summarize make_set(IPAddress));
AADSignInEventsBeta
| where IPAddress in (IPAddressesOfInterest)
// What logons have we seen from Firehol anonymous IPs?
let AnonymousIPs = externaldata (Source:string, IpAddress:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-anonymous.csv.zip'] with (ignoreFirstRecord=true);
IdentityLogonEvents
| summarize by IPAddress
| evaluate ipv4_lookup(AnonymousIPs, IPAddress, IpAddress, return_unmatched=false)
| join kind=leftouter (IdentityLogonEvents) on IPAddress
| where ActionType == 'LogonSuccess'
Sentinel & Azure Log Analytics Example
Coming soon.