May 10 2022 12:19 AM
Hi
I am looking for the troubleshoot the Outbound Logs that are not Fetched in Azure Sentinel so I can review the logs:
May 10 2022 01:02 AM
Why do think they are not fetched? The query uses up to 6 data sources, only four, Wiredata, WindowsFirewall, CommonSecutiyLog and VMConnection tables will show a "outbound" status and only if there is a Malicious state (so zero or a very low number is expected).
union isfuzzy=true
(W3CIISLog
| extend
TrafficDirection = "InboundOrUnknown",
Country=RemoteIPCountry,
Latitude=RemoteIPLatitude,
Longitude=RemoteIPLongitude),
(DnsEvents
| extend
TrafficDirection = "InboundOrUnknown",
Country= RemoteIPCountry,
Latitude = RemoteIPLatitude,
Longitude = RemoteIPLongitude),
(WireData
| extend
TrafficDirection = iff(Direction != "Outbound", "InboundOrUnknown", "Outbound"),
Country=RemoteIPCountry,
Latitude=RemoteIPLatitude,
Longitude=RemoteIPLongitude),
(WindowsFirewall
| extend
TrafficDirection = iff(CommunicationDirection != "SEND", "InboundOrUnknown", "Outbound"),
Country=MaliciousIPCountry,
Latitude=MaliciousIPLatitude,
Longitude=MaliciousIPLongitude),
(CommonSecurityLog
| extend
TrafficDirection = iff(CommunicationDirection !in ("Outbound", "1"), "InboundOrUnknown", "Outbound"),
Country=MaliciousIPCountry,
Latitude=MaliciousIPLatitude,
Longitude=MaliciousIPLongitude,
Confidence=ThreatDescription,
Description=ThreatDescription),
(VMConnection
| where Type == "VMConnection"
| extend
TrafficDirection = iff(Direction != "outbound", "InboundOrUnknown", "Outbound"),
Country=RemoteCountry,
Latitude=RemoteLatitude,
Longitude=RemoteLongitude,
MaliciousIP=MaliciousIp)
| where isnotempty(MaliciousIP)
and isnotempty(Country)
and isnotempty(Latitude)
and isnotempty(Longitude)
| summarize count() by TrafficDirection