Feb 28 2020 06:17 PM
Feb 28 2020 06:17 PM
On other SIEM's I have found it really effective to map IP addresses to BGP AS numbers and then use the AS number in anomaly detection and the AS name when displaying related logs/events. This is an alternate to relying on often inaccurate IP-to-location mapping.
Does anyone know whether this is mapping capability is already built-in to sentinel or if not, whether there's a way to build-in?
Mar 02 2020 04:15 AMSolution
You could approach this with the externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-...
I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/ (use a source you trust and you validate...this is just an example)
I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL. I use the URL created in this query
I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.
You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?
I hope that helps.
Dec 06 2021 09:08 PM
Dec 07 2021 01:54 AM
This would be one way
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']; let ip_list = dynamic(["126.96.36.199","188.8.131.52","184.108.40.206","220.127.116.11"]); IP_Data | extend justIP = split(network,@"/"). | where justIP in (ip_list)
Ip_data gets a list from the ...geoip2-ip4.csv file. The column "network" is an ip address list (in the format 18.104.22.168/32), so with the extend = justIp I remove the "/32" part. You can then use that IP address to compare against you dynamic list using the .
| where justIP in (ip_list)