Forum Discussion
GaryBushey
Jan 24, 2020Bronze Contributor
When do items show on the Potential malicious events map?
What is needed to get items to show up on the Potential malicious event map on the Overview page? I read https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-monitor-workbooks-to...
CliveWatson
Microsoft
Jan 26, 2020
If you have circles on the map its working, you may also need to edit the default Lat and Long - as I set it to our office (the distances are calculated from there (in Miles) to the location we see the MaliciousIP). I seemed to have missed that on the instructions - sorry!
I'm planning to add a few major cities to the drop down's so you can select a default location - or add your own.
GaryBushey
Jan 26, 2020Bronze Contributor
CliveWatson Looking more into the queries on the page, If load the Finished Query (almost) I get no data returned because the MaliciousIP is always empty.
Which, I guess, brings me back to my original question (more or less), how would that field get filled in? 🙂
- CliveWatsonJan 27, 2020
Microsoft
I spoke to this in my first reply.
This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.
Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?
If this counter on the map is Zero - then we dont have a match. Essentially there is a feed of known Malicious IP addresses, if they correlate / match one that is seen in your logs then the counter goes from zero to 1 etc... e.g. there is known IP of 1.1.1.1 and it was seen in your CEF logs (CommonsecuityLog), so that device (probably a Firewall) has a match with a know malicious IP .For this to occur you need to have a machine on the Internet (Public IP) and for it to get probed with a Malicious IP into one of the six tables we check. If you have no machines on the internet or are blocking the log data in some way - you may not see these?
Not having any Malicious IPs is a good thing - but you may want to carefully test this by exposing a machine (isolated from your others) for a short while to prove the capability is working.
- Deepanshu_MarwahSep 24, 2020Brass Contributor
Hi CliveWatson
Does that mean only logs ingested through CEF can be leveraged for geo mapping and malicious IP identification functionality ? Currently I am ingesting all the logs through rest API into custom tables that includes firewall logs that has most of the required information. Is it possible to work with custom tables to perform same function as of the CEF logs (CommonsecuityLog) for achieving the same goal ?
- CliveWatsonSep 24, 2020
Microsoft
There are 11 geo spatial queries you can use, this is one https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-distance-2points-function
They need a Longitude and Latitude to work, so that can come from any Table, from a query or in a workbook.
The Map on the Azure Sentinel Overview page, uses 6 specific tables. You can't alter that but you can take that query and use it yourself, like I did in the Workbook https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-travel-and-map-their/ba-p/981716
A KQL example from the Help
print distance_in_meters = geo_distance_2points(-122.407628, 47.578557, -118.275287, 34.019056)
You can use any TableVMConnection | project RemoteLongitude, RemoteLatitude | serialize | extend distanceTo = geo_distance_2points(RemoteLongitude, RemoteLatitude, prev(RemoteLongitude), prev(RemoteLatitude)) | order by distanceTo desc
, just replace "VMconnection" with your own table name, and pick the columns, that have your Longitude and Latitude in. This is an example query and not a good one, just to illustrate my point.
You can do this in a Query like above, or take the same Query and use in a Workbook, or a Sentinel Analytics rule or Hunting query etc...
- GaryBusheyJan 27, 2020Bronze Contributor
CliveWatson OK, it has gotten through my thick skull finally. Thanks for all the help yet again.