I am having difficulty writing a detection rule to identify VPN IPs, specifically for services like Mullvad VPN and other similar VPN providers, using only built-in threat feeds (no external data sources). I do not want to hardcode ASN numbers.
+7The available threat feeds will depend on your SecOps license level ( see the table at the end of this section ) but several of the feeds do include some MISP labeling that could be helpful here.
I would check and see if you get good results joining against the entity graph for IPs with the ‘misp_vpn-ipv4’ source_label (or Ipv6 if that is what you need)
Something like this snippet in your detection with the rest of your source event filtering and outcomes+condions wrapped around it.
//The rest of your primary event filtering
$event.principal.ip = $ipaddress
$ecg.graph.metadata.source_type = "GLOBAL_CONTEXT"
$ecg.graph.metadata.entity_type = "IP_ADDRESS"
($ecg.graph.metadata.source_labels["misp_vpn-ipv4"]= "true"
OR $ecg.graph.metadata.source_labels["misp_vpn-ipv6"]= "true")
$ecg.graph.entity.ip = $ipaddress
match: $ipaddress over 5m
// Outcome section and condition logic
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.