Abuse.ch Botnet C2 IP Blacklist to detect external C2 connections

Source: Abuse.ch

Feed link: https://sslbl.abuse.ch/blacklistsslipblacklist.txt

Defender For Endpoint

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklistsslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     ThreatIntelFeed
     | where DestIP matches regex IPRegex
     | distinct DestIP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)

Sentinel

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://sslbl.abuse.ch/blacklistsslipblacklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     ThreatIntelFeed
     | where DestIP matches regex IPRegex
     | distinct DestIP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TI Feed - AbuseCHIPBlacklistFeed.md

TI Feed - AbuseCHIPBlacklistFeed.md

Abuse.ch Botnet C2 IP Blacklist to detect external C2 connections

Source: Abuse.ch

Feed link: https://sslbl.abuse.ch/blacklistsslipblacklist.txt

Defender For Endpoint

Sentinel

Files

TI Feed - AbuseCHIPBlacklistFeed.md

Latest commit

History

TI Feed - AbuseCHIPBlacklistFeed.md

File metadata and controls

Abuse.ch Botnet C2 IP Blacklist to detect external C2 connections

Source: Abuse.ch

Feed link: https://sslbl.abuse.ch/blacklistsslipblacklist.txt

Defender For Endpoint

Sentinel