Kusto FireHOL Data Center Table

Description


This data represents address blocks for data centers and data processing ranges.

Source


Taken from the FireHOL datacenters publicly available IP set https://iplists.firehol.org/?ipset=datacenters

Why should I use this data?


This is a data set that contains IP ranges where it is unlikely that activity conducted from there would be normal user activity. This data set combined with ASN or Geographical data could provide additional useful insights.

Updates


Daily at around 0300UTC. The source data may or may not be updated as regularly.


https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip

Schema


Base Kusto Table


externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true)

Base Kusto Function


let DataCenters = externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);

Self Contained Kusto


// Are a list of given IP addresses in data centers?
let DataCenters = externaldata (CIDR:string, DataCenterSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
let DataCentersComplete = DataCenters
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| extend ExampleIpAddress = strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1) //Generate a single IP address not a Network Address
| extend Country = tostring(geo_info_from_ip_address(ExampleIpAddress)['country'])
| extend CIDRASN = coalesce(CIDRASNName, 'Unknown Data Center');
let IPsOfInterest = datatable(IpAddress:string) [ 
'3.1.1.1', //Random IP addresses I've picked for demo purposes only, they do not mean anything at all
'104.208.1.1',
'107.248.1.1'
];
IPsOfInterest
| evaluate ipv4_lookup(DataCentersComplete, IpAddress, CIDR, return_unmatched=true)

Microsoft 365 Defender Example


// What Entra ID logons have we seen from Data Center locations?
let DataCenters = externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
let IPAddressesOfInterest = materialize( AADSignInEventsBeta
| summarize by IPAddress
| where IPAddress has '.'
| evaluate ipv4_lookup(DataCenters, IPAddress, CIDR)
| summarize make_set(IPAddress));
AADSignInEventsBeta
| where IPAddress in (IPAddressesOfInterest)

Sentinel & Azure Log Analytics Example


Coming soon.