Forum Discussion

Siedlarczyk95's avatar
Siedlarczyk95
Copper Contributor
May 11, 2020

AWS CloudTrail - "whois" Organization Whitelist

Hi all,   I'm trying to creat a custom alert trigger in Sentinel, to filter source ip addresses from my cloudtrail logs, as I've whitelisted ips (vpn) well defined.   However some services like a...
Log Data
GaryBushey's avatar
GaryBushey
Bronze Contributor
May 11, 2020

Siedlarczyk95 Sounds like you would need to create a logic app that makes the queries to whois to get the information you need and update a custom log with that information.

 

I do not have the exact code you would need but you can look at the Azure Sentinel on getting Teams information to give you an idea of how to start.

Siedlarczyk95's avatar
Siedlarczyk95
Copper Contributor
May 11, 2020

GaryBushey 

 

Hi Gary, thanks for the response.

 

I thought about that, but not sure how to stream the data to get it queried from whois.

As logic apps connectors for Sentinel are basically based on alerts, the nois would be huge if I used this approach.

 

Do you have a suggestion on that?

 

Best regards.

Lucas

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    May 11, 2020

    Siedlarczyk95 This would a straight Logic App, not a Playbook so you could set up to use the Recurrence trigger and use the HTTP action to call whois (assuming you can make a REST call to get the data you need)

     

Resources