Feb 28 2020 06:17 PM
Hi
On other SIEM's I have found it really effective to map IP addresses to BGP AS numbers and then use the AS number in anomaly detection and the AS name when displaying related logs/events. This is an alternate to relying on often inaccurate IP-to-location mapping.
Does anyone know whether this is mapping capability is already built-in to sentinel or if not, whether there's a way to build-in?
Thanks!
Mar 02 2020 04:15 AM
Solution
You could approach this with the externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-...
I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/ (use a source you trust and you validate...this is just an example)
I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL. I use the URL created in this query
I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.
You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?
I hope that helps.
Clive