May 11 2020
08:31 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
May 11 2020
08:31 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Hi all,
I'm trying to creat a custom alert trigger in Sentinel, to filter source ip addresses from my cloudtrail logs, as I've whitelisted ips (vpn) well defined.
However some services like autoscaling, they use some internal Aws IPs which I do not have control over.
My question is: Is there a way to whitelist, and exclude these ips from my query, using some sort of whois organization response attribute?
If any has some guidance, it would be very helpful. Coding and integrations are also welcom.
Best regards,
Siedlarczyk
May 11 2020 09:01 AM
May 11 2020 09:04 AM
May 11 2020 09:11 AM
@Siedlarczyk95 Sounds like you would need to create a logic app that makes the queries to whois to get the information you need and update a custom log with that information.
I do not have the exact code you would need but you can look at the Azure Sentinel on getting Teams information to give you an idea of how to start.
May 11 2020 09:34 AM
Hi Gary, thanks for the response.
I thought about that, but not sure how to stream the data to get it queried from whois.
As logic apps connectors for Sentinel are basically based on alerts, the nois would be huge if I used this approach.
Do you have a suggestion on that?
Best regards.
Lucas
May 11 2020 11:13 AM
@Siedlarczyk95 This would a straight Logic App, not a Playbook so you could set up to use the Recurrence trigger and use the HTTP action to call whois (assuming you can make a REST call to get the data you need)
May 12 2020 02:21 AM
@Siedlarczyk95 This may be along the lines of what you are looking for. I wanted to create tickets in an ITSM for alerts in Sentinel and instead of having to constantly lookup the location and owner of the IP addresses, I used a rest api call via Logic Apps to get the IP owner https://ipapi.co/8.8.8.8/org so this could be added to the ticket on creation.
This won't necessarily let you alert for non-Amazon IPs since the alert would've already occurred.
I also wanted to get information on where connections to our Cisco ASA were coming from geographically so I used another logic app to lookup IPs for their location, owner etc.
For this you would need a csv file in blob storage with the defined headers you are looking for e.g. IP, Location, Owner
I used a recurringly triggered logic app to run a log analytics query to get a list of IPs and then conditionally check the csv for the IP to make sure it wasn't already there (to avoid going over the api rate limit looking up IPs twice).
If the IP isn't in the file, you would then call the api and add the information as a new line to the csv file.
You could then use externaldata to lookup this information in log analytics and create alerts based on a query that excludes Amazon owned IPs.
I used the code below to generate a map showing the places connections were being made from to our ASA. The URL for the blob was generated by clicking on generate SAS under the storage account > containers > file.
externaldata(ip:string, country_code:string)
[h"https://my.blob.core.windows.net/mycontainer/iplookup.csv?sp=sharedaccesssignature"]
| join kind= inner (
CommonSecurityLog
| where TimeGenerated {TimeRange}
| extend day=dayofmonth(TimeGenerated)
| where Message contains "%ASA: Group <GroupPolicy_VPN> User"
| parse Message with *"> User <" User ">"*
| parse Message with *"> IP <" ConnectingIP ">"*
) on $left.ip == $right.ConnectingIP
| distinct User, country_code
| summarize count(User) by country_code