%3CLINGO-SUB%20id%3D%22lingo-sub-2158352%22%20slang%3D%22en-US%22%3EHandling%20false%20positives%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158352%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20using%20Azure%20Sentinel%2C%20you%20are%20bound%20to%20get%20some%20false%20positives.%20No%20detection%20rule%20is%20perfect.%20In%20this%20blog%20post%2C%20we%20will%20learn%20how%20to%20handle%20false%20positives%20in%20scheduled%20analytics%20rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--524102768%22%20id%3D%22toc-hId--524102768%22%20id%3D%22toc-hId--524102768%22%3EUnderstanding%20false%20positives%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20most%20cases%2C%20false%20positives%20stem%20from%20specific%20entities%20such%20as%20users%20or%20IP%20addresses%20which%20should%20be%20excluded.%26nbsp%3B%20Common%20scenarios%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDuring%20his%20normal%20activity%2C%20a%20user%20may%20often%20exhibit%20a%20pattern%20that%20can%20be%20viewed%20as%20suspected.%20This%20would%20often%20be%20a%20service%20principal.%3C%2FLI%3E%0A%3CLI%3EAn%20intentional%20security%20scanning%20activity%20coming%20from%20known%20IP%20addresses%20is%20often%20detected%20as%20malicious.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EA%20rule%20excludes%20private%20IP%20addresses.%20However%2C%20some%20internal%20IP%20addresses%20are%20not%20private%20and%20should%20also%20be%20excluded.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1963410065%22%20id%3D%22toc-hId-1963410065%22%20id%3D%22toc-hId-1963410065%22%3EImplementing%20false%20positive%20handling%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20solution%20is%20to%20modify%20the%20rule%20queries%2C%20either%20by%20including%20the%20exceptions%20directly%20in%20the%20rule%2C%20or%20preferably%2C%20when%20possible%2C%20including%20a%20reference%20to%20a%20watchlist%20and%20managing%20the%20exception%20list%20in%20the%20watchlist.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETaking%20the%20typical%20rule%20preamble%2C%20you%20can%20add%20the%20blue%20line%20at%20the%20beginning%20of%20the%20query%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Elet%20timeFrame%20%3D%201d%3B%3CBR%20%2F%3Elet%20logonDiff%20%3D%2010m%3B%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeFrame)%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20color%3D%22%230000FF%22%3E%7C%20where%20IPAddress%20in%20('10.0.0.8'%2C%20'192.168.12.1')%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%E2%80%A6%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20relevant%20exception%20is%20not%20limited%20to%20IP%20addresses%20and%20might%20be%20for%20specific%20users%20(using%20the%20UserPrincipalName%20field)%20or%20Apps%20(using%20the%20AppDisplayName).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20exclude%20multiple%20attributes%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3E%7C%20where%20IPAddress%20in%20('10.0.0.8'%2C%20'192.168.12.1')%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CSTRONG%3E%7C%20where%20UserPrincipalName%20%3D%3D%26nbsp%3B'user%40microsoft.com'%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%2C%20to%20implement%20a%20more%20fine-grained%20exception%20when%20applicable%2C%20to%20reduce%20the%20chance%20for%20false%20negatives%2C%20by%20combining%20attributes%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3E%26nbsp%3B%20%7C%20where%20IPAddress%20%3D%3D%20'10.0.0.8'%20and%20UserPrincipalName%20%3D%3D%20'user%40microsoft.com'%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-155955602%22%20id%3D%22toc-hId-155955602%22%20id%3D%22toc-hId-155955602%22%3EExcluding%20subnets%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20third%20use%20case%20described%20above%2C%20excluding%20IP%20ranges%20used%20by%20the%20organization%2C%20requires%20subnet%20exclusion.%20The%20following%20examples%20show%20how%20to%20exclude%20subnets.%20Note%20that%20since%20the%20ipv_lookup%20operator%20is%20an%20enrichment%20operator%20and%20not%20a%20filtering%20operator%2C%20the%20filtering%20is%20actually%20done%20in%20the%20following%20line%20by%20inspecting%20those%20events%20for%20which%20a%20match%20was%20not%20made.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3Elet%20subnets%20%3D%20datatable(network%3Astring)%20%3C%2FSTRONG%3E%3CSTRONG%3E%5B%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%22111.68.128.0%2F17%22%2C%20%3C%2FSTRONG%3E%3CSTRONG%3E%225.8.0.0%2F19%22%2C%20...%3C%2FSTRONG%3E%3C%2FFONT%3E%3CSTRONG%3E%3CFONT%20color%3D%22%230000FF%22%3E%5D%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FSTRONG%3Elet%20timeFrame%20%3D%201d%3B%3CBR%20%2F%3Elet%20logonDiff%20%3D%2010m%3B%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeFrame)%3CBR%20%2F%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3E%7C%20evaluate%20ipv4_lookup(subnets%2C%20IPAddress%2C%20network%2C%20return_unmatched%20%3D%20true)%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CSTRONG%3E%7C%20where%20isempty(network)%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%7C%20where%20ResultType%20%3D%3D%20%220%22%3CBR%20%2F%3E%E2%80%A6%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1651498861%22%20id%3D%22toc-hId--1651498861%22%20id%3D%22toc-hId--1651498861%22%3EUsing%20Watchlists%20to%20handle%20false%20positives%20outside%20of%20the%20rule%20itself%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20a%20Watchlist%20to%20manage%20the%20list%20of%20IP%20addresses%20outside%20of%20the%20rule%20itself.%20When%20applicable%2C%20this%20is%20the%20preferred%20solutions%20and%20has%20several%20advantages%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThis%20enables%20an%20analyst%20to%20add%20exceptions%20without%20editing%20the%20rule%2C%20which%20better%20follows%20SOC%20best%20practices.%3C%2FLI%3E%0A%3CLI%3EThe%20same%20watchlist%20can%20apply%20to%20multiple%20rules%2C%20enabling%20central%20exception%20management.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20a%20watchlist%20is%20rather%20similar%20to%20using%20a%20direct%20exception%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Elet%20timeFrame%20%3D%201d%3B%3CBR%20%2F%3Elet%20logonDiff%20%3D%2010m%3B%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20color%3D%22%230000FF%22%3Elet%20allowlist%20%3D%20(_GetWatchlist('ipallowlist')%20%7C%20project%20IPAddress)%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeFrame)%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20color%3D%22%230000FF%22%3E%7C%20where%20IPAddress%20in%20(allowlist)%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%E2%80%A6%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESubnets%20filtering%20can%20also%20be%20done%20using%20a%20watchlist%20by%20replacing%20in%20the%20subnets%20example%20above%2C%20the%20subnets%20table%20definition%20with%20a%20watchlist%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Elet%20%3CSTRONG%3Esubnets%3C%2FSTRONG%3E%20%3D%20_GetWatchlist('subnetallowlist')%3B%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20you%20found%20this%20useful!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2158352%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20detection%20rule%20is%20perfect.%20Learn%20how%20to%20handle%20false%20positives%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ofer_Shezaf_0-1614068171844.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F256948i253ADA63DBEB728F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Ofer_Shezaf_0-1614068171844.png%22%20alt%3D%22Ofer_Shezaf_0-1614068171844.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160828%22%20slang%3D%22en-US%22%3ERe%3A%20Handling%20false%20positives%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160828%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bthanks%20for%20this%20blog%20article.%20It's%20hugely%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

When using Azure Sentinel, you are bound to get some false positives. No detection rule is perfect. In this blog post, we will learn how to handle false positives in scheduled analytics rules.

 

Understanding false positives

 

In most cases, false positives stem from specific entities such as users or IP addresses which should be excluded.  Common scenarios are:

  • During his normal activity, a user may often exhibit a pattern that can be viewed as suspected. This would often be a service principal.
  • An intentional security scanning activity coming from known IP addresses is often detected as malicious. 
  • A rule excludes private IP addresses. However, some internal IP addresses are not private and should also be excluded. 

 

Implementing false positive handling

 

The solution is to modify the rule queries, either by including the exceptions directly in the rule, or preferably, when possible, including a reference to a watchlist and managing the exception list in the watchlist.

 

Taking the typical rule preamble, you can add the blue line at the beginning of the query:

 

let timeFrame = 1d;
let logonDiff = 10m;
SigninLogs
| where TimeGenerated >= ago(timeFrame)
| where IPAddress in ('10.0.0.8', '192.168.12.1')

 

The relevant exception is not limited to IP addresses and might be for specific users (using the UserPrincipalName field) or Apps (using the AppDisplayName).

 

You can also exclude multiple attributes:

 

| where IPAddress in ('10.0.0.8', '192.168.12.1')
| where UserPrincipalName == 'user@microsoft.com' 

 

Or, to implement a more fine-grained exception when applicable, to reduce the chance for false negatives, by combining attributes:

 

  | where IPAddress == '10.0.0.8' and UserPrincipalName == 'user@microsoft.com'

 

Excluding subnets

 

The third use case described above, excluding IP ranges used by the organization, requires subnet exclusion. The following examples show how to exclude subnets. Note that since the ipv_lookup operator is an enrichment operator and not a filtering operator, the filtering is actually done in the following line by inspecting those events for which a match was not made.

 

let subnets = datatable(network:string) [ "111.68.128.0/17", "5.8.0.0/19", ...];
let timeFrame = 1d;
let logonDiff = 10m;
SigninLogs
| where TimeGenerated >= ago(timeFrame)
| evaluate ipv4_lookup(subnets, IPAddress, network, return_unmatched = true)
| where isempty(network)
| where ResultType == "0"

 

Using Watchlists to handle false positives outside of the rule itself

 

You can use a Watchlist to manage the list of IP addresses outside of the rule itself. When applicable, this is the preferred solutions and has several advantages:

  • This enables an analyst to add exceptions without editing the rule, which better follows SOC best practices.
  • The same watchlist can apply to multiple rules, enabling central exception management.

 

Using a watchlist is rather similar to using a direct exception:

 

let timeFrame = 1d;
let logonDiff = 10m;
let allowlist = (_GetWatchlist('ipallowlist') | project IPAddress);
SigninLogs
| where TimeGenerated >= ago(timeFrame)
| where IPAddress in (allowlist)

 

Subnets filtering can also be done using a watchlist by replacing in the subnets example above, the subnets table definition with a watchlist:

 

let subnets = _GetWatchlist('subnetallowlist');

 

I hope you found this useful!

 

1 Comment
Occasional Visitor

@Ofer_Shezaf thanks for this blog article. It's hugely helpful.