SOLVED

Mapping IPs to autonomous systems number and name

%3CLINGO-SUB%20id%3D%22lingo-sub-1202033%22%20slang%3D%22en-US%22%3EMapping%20IPs%20to%20autonomous%20systems%20number%20and%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202033%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20other%20SIEM's%20I%20have%20found%20it%20really%20effective%20to%20map%20IP%20addresses%20to%20BGP%20AS%20numbers%20and%20then%20use%20the%20AS%20number%20in%20anomaly%20detection%20and%20the%20AS%20name%20when%20displaying%20related%20logs%2Fevents.%20This%20is%20an%20alternate%20to%20relying%20on%20often%20inaccurate%20IP-to-location%20mapping.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20whether%20this%20is%20mapping%20capability%20is%20already%20built-in%20to%20sentinel%20or%20if%20not%2C%20whether%20there's%20a%20way%20to%20build-in%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1204314%22%20slang%3D%22en-US%22%3ERe%3A%20Mapping%20IPs%20to%20autonomous%20systems%20number%20and%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1204314%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559958%22%20target%3D%22_blank%22%3E%40mrboxx%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20%3CEM%3Ecould%3C%2FEM%3E%20approach%20this%20with%20the%26nbsp%3B%26nbsp%3B%3CSTRONG%3Eexternaldata%3C%2FSTRONG%3E%26nbsp%3Boperator%20as%20mentioned%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel-part-1-reference-files%2Fba-p%2F1091306%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel-part-1-reference-files%2Fba-p%2F1091306%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20downloaded%20the%20%22IP4%20to%20ASN%20map%22%20from%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fiptoasn.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fiptoasn.com%2F%3C%2FA%3E%26nbsp%3B%20(use%20a%20source%20you%20trust%20and%20you%20validate...this%20is%20just%20an%20example)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20uploaded%20that%20file%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fblobs%2Fstorage-quickstart-blobs-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Blob%3C%2FA%3E%20(after%20unpacking%20it%20to%20a%20.CSV%20file)%2C%20then%20generated%20a%20SAS%20token%20and%20URL.%26nbsp%3B%20I%20use%20the%20URL%20created%20in%20this%20query%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%20iptofind%20%3D%20%3C%2FSPAN%3E%3CSPAN%3E%2213.64.0.100%22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Eexternaldata%20%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3Efirst_ip%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3Estring%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20end_ip%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3Estring%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20as_num%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3Eint%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20country_code%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3Estring%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20description%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3Estring%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%5B%3C%2FSPAN%3E%3CSPAN%3E%40%3C%2FSPAN%3E%3CSPAN%3E%22https%3A%2F%2F%3CFONT%20color%3D%22%23FF0000%22%3E%26lt%3B%20insert%20your%20URL%20here%26gt%3B%3C%2FFONT%3E%22%3C%2FSPAN%3E%3CSPAN%3E%5D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20iptofind%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20first_ip%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20end_ip%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20as_num%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20description%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20parse_ipv4%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3Eiptofind%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3CSPAN%3E%20between%20%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3Eparse_ipv4%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3Efirst_ip%3C%2FSPAN%3E%3CSPAN%3E)..%3C%2FSPAN%3E%20%3CSPAN%3Eparse_ipv4%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3Eend_ip%3C%2FSPAN%3E%3CSPAN%3E))%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-02%20120730.jpg%22%20style%3D%22width%3A%20759px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F174559i1F3AC1EDDA542BF0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-02%20120730.jpg%22%20alt%3D%22Annotation%202020-03-02%20120730.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20use%20parse_ipv4%20to%20work%20out%20where%20in%20the%20range%20the%20IP%20address%20I%20want%20is%2C%20it%20then%20returns%20the%20AS_Number%20(%3CSTRONG%3Eas_num%3C%2FSTRONG%3E)%20and%20%3CSTRONG%3Edescription%3C%2FSTRONG%3E%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20have%20to%20download%20a%20new%20file%20on%20a%20regular%20basis%20(if%20required)%2C%20maybe%20automate%20that%20with%20Logic%20Apps%20or%20another%20option%20is%20to%20use%20Logic%20Apps%20to%20read%20the%20data%20using%20the%20api%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20that%20helps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EClive%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi

 

On other SIEM's I have found it really effective to map IP addresses to BGP AS numbers and then use the AS number in anomaly detection and the AS name when displaying related logs/events. This is an alternate to relying on often inaccurate IP-to-location mapping.

 

Does anyone know whether this is mapping capability is already built-in to sentinel or if not, whether there's a way to build-in?

 

Thanks!

1 Reply
Best Response confirmed by mrboxx (Occasional Contributor)
Solution

@mrboxx 

 

You could approach this with the  externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-...

 

I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/  (use a source you trust and you validate...this is just an example)

 

I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL.  I use the URL created in this query

 

let iptofind = "13.64.0.100";
externaldata (first_ip:string, end_ip:string, as_num:int, country_code:string, description:string)
[@"https://< insert your URL here>"]
| project iptofind, first_ip, end_ip, as_num, description
| where parse_ipv4(iptofind) between (parse_ipv4(first_ip).. parse_ipv4(end_ip))
 
Annotation 2020-03-02 120730.jpg

 

I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.

 

You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?

 

I hope that helps.

 

Clive