Kusto FireHOL Data Center Table


This data represents address blocks for data centers and data processing ranges.


Taken from the FireHOL datacenters publicly available IP set https://iplists.firehol.org/?ipset=datacenters

Why should I use this data?

This is a data set that contains IP ranges where it is unlikely that activity conducted from there would be normal user activity. This data set combined with ASN or Geographical data could provide additional useful insights.


Daily at around 0300UTC. The source data may or may not be updated as regularly.



Column Name Data Type Notes
CIDR string
Source string Always firehol.org

Base Kusto Table

externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true)

Base Kusto Function

let DataCenters = externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);

Self Contained Kusto

// Are a list of given IP addresses in data centers?
let DataCenters = externaldata (CIDR:string, DataCenterSource:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
let DataCentersComplete = DataCenters
| evaluate ipv4_lookup(CIDRASN, CIDR, CIDR, return_unmatched=true)
| extend ExampleIpAddress = strcat(substring(CIDR, 0, indexof(CIDR, ".", 0, -1, 3)), '.', split(split(CIDR, '.')[-1], '/')[0]+1) //Generate a single IP address not a Network Address
| extend Country = tostring(geo_info_from_ip_address(ExampleIpAddress)['country'])
| extend CIDRASN = coalesce(CIDRASNName, 'Unknown Data Center');
let IPsOfInterest = datatable(IpAddress:string) [ 
'', //Random IP addresses I've picked for demo purposes only, they do not mean anything at all
| evaluate ipv4_lookup(DataCentersComplete, IpAddress, CIDR, return_unmatched=true) 

Microsoft 365 Defender Example

// What Entra ID logons have we seen from Data Center locations?
let DataCenters = externaldata (CIDR:string, Source:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-firehol-datacenters.csv.zip'] with (ignoreFirstRecord=true);
let IPAddressesOfInterest = materialize( AADSignInEventsBeta
| summarize by IPAddress
| where IPAddress has '.'
| evaluate ipv4_lookup(DataCenters, IPAddress, CIDR)
| summarize make_set(IPAddress));
| where IPAddress in (IPAddressesOfInterest)

Sentinel & Azure Log Analytics Example

Coming soon.