Forum Discussion
GaryBushey
Jan 24, 2020Bronze Contributor
When do items show on the Potential malicious events map?
What is needed to get items to show up on the Potential malicious event map on the Overview page? I read https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-monitor-workbooks-to...
CliveWatson
Microsoft
Jan 27, 2020I spoke to this in my first reply.
This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.
Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?
If this counter on the map is Zero - then we dont have a match. Essentially there is a feed of known Malicious IP addresses, if they correlate / match one that is seen in your logs then the counter goes from zero to 1 etc... e.g. there is known IP of 1.1.1.1 and it was seen in your CEF logs (CommonsecuityLog), so that device (probably a Firewall) has a match with a know malicious IP .
For this to occur you need to have a machine on the Internet (Public IP) and for it to get probed with a Malicious IP into one of the six tables we check. If you have no machines on the internet or are blocking the log data in some way - you may not see these?
Not having any Malicious IPs is a good thing - but you may want to carefully test this by exposing a machine (isolated from your others) for a short while to prove the capability is working.
GaryBushey
Jan 27, 2020Bronze Contributor
CliveWatson OK, it has gotten through my thick skull finally. Thanks for all the help yet again.