SOLVED

Mapping IPs to autonomous systems number and name

Occasional Contributor

Hi

 

On other SIEM's I have found it really effective to map IP addresses to BGP AS numbers and then use the AS number in anomaly detection and the AS name when displaying related logs/events. This is an alternate to relying on often inaccurate IP-to-location mapping.

 

Does anyone know whether this is mapping capability is already built-in to sentinel or if not, whether there's a way to build-in?

 

Thanks!

2 Replies
best response confirmed by mrboxx (Occasional Contributor)
Solution

@mrboxx 

 

You could approach this with the  externaldata operator as mentioned here: https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-...

 

I downloaded the "IP4 to ASN map" from here: https://iptoasn.com/  (use a source you trust and you validate...this is just an example)

 

I uploaded that file to Azure Blob (after unpacking it to a .CSV file), then generated a SAS token and URL.  I use the URL created in this query

 

let iptofind = "13.64.0.100";
externaldata (first_ip:string, end_ip:string, as_num:int, country_code:string, description:string)
[@"https://< insert your URL here>"]
| project iptofind, first_ip, end_ip, as_num, description
| where parse_ipv4(iptofind) between (parse_ipv4(first_ip).. parse_ipv4(end_ip))
 
Annotation 2020-03-02 120730.jpg

 

I use parse_ipv4 to work out where in the range the IP address I want is, it then returns the AS_Number (as_num) and description data.

 

You will have to download a new file on a regular basis (if required), maybe automate that with Logic Apps or another option is to use Logic Apps to read the data using the api?

 

I hope that helps.

 

Clive

 

 

Hi Clive,
Cool search syntax.
Just a quick follow up question,
How can we make this iteratively through a dynamic list? Thank you.

e.g. let ip_list = dynamic(["8.8.8.8","1.1.1.1","1.0.8.23"]);