Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

outbound logs are not fetch by Sentinel

Copper Contributor

Hi
I am looking for the troubleshoot the Outbound Logs that are not Fetched in Azure Sentinel so I can review the logs:

Abdul_Haadi_0-1652167065326.png

 

1 Reply

@Abdul_Haadi 

 

Why do think they are not fetched?  The query uses up to 6 data sources, only four, Wiredata, WindowsFirewall, CommonSecutiyLog and VMConnection tables will show a "outbound" status and only if there is a Malicious state (so zero or a very low number is expected). 

 

union isfuzzy=true
    (W3CIISLog
    | extend
        TrafficDirection = "InboundOrUnknown",
        Country=RemoteIPCountry,
        Latitude=RemoteIPLatitude,
        Longitude=RemoteIPLongitude),
    (DnsEvents
    | extend
        TrafficDirection = "InboundOrUnknown",
        Country= RemoteIPCountry,
        Latitude = RemoteIPLatitude,
        Longitude = RemoteIPLongitude),
    (WireData
    | extend
        TrafficDirection = iff(Direction != "Outbound", "InboundOrUnknown", "Outbound"),
        Country=RemoteIPCountry,
        Latitude=RemoteIPLatitude,
        Longitude=RemoteIPLongitude),
    (WindowsFirewall
    | extend
        TrafficDirection = iff(CommunicationDirection != "SEND", "InboundOrUnknown", "Outbound"),
        Country=MaliciousIPCountry,
        Latitude=MaliciousIPLatitude,
        Longitude=MaliciousIPLongitude),
    (CommonSecurityLog
    | extend
        TrafficDirection = iff(CommunicationDirection !in ("Outbound", "1"), "InboundOrUnknown", "Outbound"),
        Country=MaliciousIPCountry,
        Latitude=MaliciousIPLatitude,
        Longitude=MaliciousIPLongitude,
        Confidence=ThreatDescription,
        Description=ThreatDescription),
    (VMConnection
    | where Type == "VMConnection"
    | extend
        TrafficDirection = iff(Direction != "outbound", "InboundOrUnknown", "Outbound"),
        Country=RemoteCountry,
        Latitude=RemoteLatitude,
        Longitude=RemoteLongitude,
        MaliciousIP=MaliciousIp)
| where isnotempty(MaliciousIP)
    and isnotempty(Country)
    and isnotempty(Latitude)
    and isnotempty(Longitude)
| summarize count() by TrafficDirection