How to Use Attacker IP Prioritization Blacklist Feeds with Microsoft Defender for Endpoint (MDE)

The Attacker IP Prioritization Blacklist, or AIP Blacklist, is the blacklist of IP addresses generated from attacks made on the honeypots in our IoT lab using the AIP algorithm.

The blacklisted IP addresses are updated everyday. These updated IPs also consist malicious IP addresses which are still alive.For such IPs publicly available data can be accessed from https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/

The blacklist feeds are provided as links to files in .csv format so you can use the externaldata operator for KQL to pull in the Blacklist in real-time for KQL queries.

The following blacklist feeds are available:

• AIP_blacklist_for_IPs_seen_last_24_hours: This blacklist is designed to include only the new IPs that have been seen in the last 24 hours, and sort them according to how much traffic they produce, quantified by the number of packets, bytes, events, and length of connections.
• AIP_historical_blacklist_prioritized_by_newest_attackers: The AIP Tool generates this blacklist from the same data-set on the same large data set as the first, but uses a different algorithm. The algorithm prioritizes new and aggressive IPs over consistent ones. In the case of the first blacklist, as long as an IP attacks every day, its score will increase over time. With this blacklist, the older an IP gets, whether it is attacking consistently or not, the more its score will decrease in order to make room for the daily IPs that generate large amounts of traffic for a short time.
• AIP_historical_blacklist_prioritized_by_repeated_attackers: This blacklist is designed to prioritize the consistent and aggressive IPs from the data we collect. The AIP Tool creates a data-set that is updated every day with data collected in the last 24 hours and then uses a special algorithm to generate a blacklist from it. The algorithm is designed to prioritize consistency, meaning if an IP attacks every day, thus having higher average network statistics, it will remain on the blacklist longer.

Here’s the full query: https://gist.github.com/Shivammalaviya/5039c99e472809123e7aa522fd4a0de6

let AIPBlacklist = externaldata(Number:string,IP: string,values:dynamic) [@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_blacklist_for_IPs_seen_last_24_hours.csv"
@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_newest_attackers.csv",@"https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/AIP_historical_blacklist_prioritized_by_repeated_attackers.csv"]
with (format="csv",ignoreFirstRecord=true)
| where IP !startswith "#"
| project IP;
AIPBlacklist
| join (DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound")
) 
on $left.IP == $right.RemoteIP
| project Timestamp,LocalIP,RemoteIP,DeviceName,RemoteUrl, InitiatingProcessFileName,ActionType,

Same as MISP we can come up with Hunting Rule and Convert Threat Intelligence into Practical Defenses.