Log Analytics Agent - data exfiltration threat *.blob.core.windows.net

%3CLINGO-SUB%20id%3D%22lingo-sub-1041866%22%20slang%3D%22en-US%22%3ELog%20Analytics%20Agent%20-%20data%20exfiltration%20threat%20*.blob.core.windows.net%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041866%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20public%20documentation%20specifies%20that%20for%20Log%20Analytics%20to%20be%20used%2C%20Virtual%20Machines%20must%20be%20granted%20outbound%20access%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*.ods.opinsights.azure.com%3CBR%20%2F%3E*.oms.opinsights.azure.com%3CBR%20%2F%3E*.blob.core.windows.net%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpening%20network%20firewalls%20carte%20blanche%20to%20the%20whole%20of%20Azure's%20blob%20storage%20is%20difficult%20for%20Security%20to%20accept.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20Azure%20firewall%20bringing%20fqdn%20filtering%20to%20the%20platform%2C%20there%20must%20now%20be%20a%20way%20to%20whitelist%20access%20through%20the%20firewall%20to%20support%20the%20Agent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20MOM%20Agent%20can%20be%20installed%20by%20package.%20From%20what%20I've%20seen%2C%20the%20agent%20seems%20to%20need%20access%20to%3A%3C%2FP%3E%3CP%3E%3CEM%3E%7BWorkspace%20GUID%7D%3C%2FEM%3E.ods.opinsights.azure.com%3CBR%20%2F%3E%3CEM%3E%7BWorkspace%20GUID%7D%3C%2FEM%3E.oms.opinsights.azure.com%3C%2FP%3E%3CP%3E...%20as%20we%20know%20the%20Workspace%20GUIDs%2C%20that's%20workable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20an%20agent%20'typology'%20request%20made%20to%3A%3C%2FP%3E%3CP%3Ehttps%3A%2F%2F%3CEM%3E%7BWorkspace%20GUID%7D%3C%2FEM%3E.oms.opinsights.azure.com%2FAgentService.svc%2FAgentTopologyRequest%3C%2FP%3E%3CP%3Ewhich%20I%20expect%20is%20instructing%20the%20agent%20on%20the%20location%20of%20geographic%20blob%20storage%20for%20augmenting%20the%20install.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Australia%2C%20the%20regional%20blobs%20seem%20to%20be%3A%20seauoiomsmds.blob.core.windows.net%20(Storage.AustraliaSouthEast)%2C%20cauoiomssa.blob.core.windows.net%20(Storage.AustraliaCentral)%20%26amp%3B%20eauoiomssa.blob.core.windows.net%20(Storage.AustraliaEast).%26nbsp%3B%20These%20seem%20to%20be%20the%20same%20requirements%20for%20all%20VMs%20in%20a%20geographic%20area.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELastly%2C%20there%20is%20also%20a%20need%20for%20access%20to%20Microsoft%20Intelligence%20Packs%20%3CA%20href%3D%22https%3A%2F%2Fscadvisorcontent.blob.core.windows.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fscadvisorcontent.blob.core.windows.net%2F%3C%2FA%3E%20(Storage.SouthCentralUS).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20all%20that's%20required%2C%20it%20would%20be%20possible%20to%20still%20restrict%20outbound%20network%20access%20while%20allowing%20the%20Log%20Analytics%20Agent%20to%20be%20used...%20making%20Security%20and%20Cloud%20Engineers%20both%20happy!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20anyone%20able%20to%20tell%20me%20if%20there%20are%20other%20addresses%20that%20would%20be%20needed%20for%20the%20Log%20Analytics%20(with%20Intelligence%20Packs)%20to%20properly%20install%20and%20function%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20%26amp%3B%20Thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1041866%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAgents%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Senior Member

The public documentation specifies that for Log Analytics to be used, Virtual Machines must be granted outbound access to:

 

*.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.blob.core.windows.net

 

Opening network firewalls carte blanche to the whole of Azure's blob storage is difficult for Security to accept.  

 

With the Azure firewall bringing fqdn filtering to the platform, there must now be a way to whitelist access through the firewall to support the Agent.

 

The MOM Agent can be installed by package. From what I've seen, the agent seems to need access to:

{Workspace GUID}.ods.opinsights.azure.com
{Workspace GUID}.oms.opinsights.azure.com

... as we know the Workspace GUIDs, that's workable.

 

There is an agent 'typology' request made to:

https://{Workspace GUID}.oms.opinsights.azure.com/AgentService.svc/AgentTopologyRequest

which I expect is instructing the agent on the location of geographic blob storage for augmenting the install.

 

In Australia, the regional blobs seem to be: seauoiomsmds.blob.core.windows.net (Storage.AustraliaSouthEast), cauoiomssa.blob.core.windows.net (Storage.AustraliaCentral) & eauoiomssa.blob.core.windows.net (Storage.AustraliaEast).  These seem to be the same requirements for all VMs in a geographic area.

 

Lastly, there is also a need for access to Microsoft Intelligence Packs https://scadvisorcontent.blob.core.windows.net/ (Storage.SouthCentralUS).

 

If this is all that's required, it would be possible to still restrict outbound network access while allowing the Log Analytics Agent to be used... making Security and Cloud Engineers both happy!

 

Is anyone able to tell me if there are other addresses that would be needed for the Log Analytics (with Intelligence Packs) to properly install and function?

 

Regards & Thanks