Forum Discussion
When do items show on the Potential malicious events map?
What is needed to get items to show up on the Potential malicious event map on the Overview page? I read https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-monitor-workbooks-to...
Hi CliveWatson
Does that mean only logs ingested through CEF can be leveraged for geo mapping and malicious IP identification functionality ? Currently I am ingesting all the logs through rest API into custom tables that includes firewall logs that has most of the required information. Is it possible to work with custom tables to perform same function as of the CEF logs (CommonsecuityLog) for achieving the same goal ?
There are 11 geo spatial queries you can use, this is one https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-distance-2points-function
They need a Longitude and Latitude to work, so that can come from any Table, from a query or in a workbook.
The Map on the Azure Sentinel Overview page, uses 6 specific tables. You can't alter that but you can take that query and use it yourself, like I did in the Workbook https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-travel-and-map-their/ba-p/981716
A KQL example from the Help
print distance_in_meters = geo_distance_2points(-122.407628, 47.578557, -118.275287, 34.019056)
You can use any Table
VMConnection
| project RemoteLongitude, RemoteLatitude
| serialize
| extend distanceTo = geo_distance_2points(RemoteLongitude, RemoteLatitude, prev(RemoteLongitude), prev(RemoteLatitude))
| order by distanceTo desc, just replace "VMconnection" with your own table name, and pick the columns, that have your Longitude and Latitude in. This is an example query and not a good one, just to illustrate my point.
You can do this in a Query like above, or take the same Query and use in a Workbook, or a Sentinel Analytics rule or Hunting query etc...