When do items show on the Potential malicious events map?

Valued Contributor

What is needed to get items to show up on the Potential malicious event map on the Overview page?  I read 

https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-monitor-workbooks-to-map-sent...

 

and based on the query, I should have items show up here but I am not seeing anything.

14 Replies

Hi @Gary Bushey 

 

When you run the first query in "Prepare your query" section you get no rows returned?  This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.

 

Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?  

clipboard_image_0.png

@Gary Bushey you can work with query to grabs a data like, Longitude and Latitude, City and State etc..

You've many related Workbook in the Azure Sentinel GitHub like UserMap.json and others.
The following blog post can clarify a few points.

https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-tr...

@CliveWatson that is the issue.  When I run the query in the Logs page I get data but nothing shows up on the Potential Malicious events map.  Does it ignore the time range selected at the top of the page as I had to go back a while to get data when running the query in the Logs page.

@Eli Shlomo thank you for your reply but I am asking specifically about the Potential malicious events map on the home page.  I was able to get the information to show up in a workbook. :)

Ok...I'll take a look in the next few days. I have an updated version ready to go into the Github but haven't got around to uploading yet.

@Gary Bushey 

 

1. Yes its using the Time Picker Parameter (called [TimeRange] ).   So in this screenshot you would see any data from the last 7days.

2. If you EDIT the workbook, and swap the visualization (see red arrow) from MAP to GRID do you still see data, when you "run query"?  I do a Top 10 on the very last line, you can comment that out to see more data (if any).

 

clipboard_image_0.png

@CliveWatson  Yes I see data.  I've attached the map image and the grid view shows the first 250 rows.

 

clipboard_image_0.png

@CliveWatson If it is better to take this offline let me know and I will post the results here.

@Gary Bushey 

 

If you have circles on the map its working,  you may also need to edit the default Lat and Long - as I set it to our office (the distances are calculated from there (in Miles) to the location we see the MaliciousIP).  I seemed to have missed that on the instructions - sorry!   

I'm planning to add a few major cities to the drop down's so you can select a default location - or add your own.  

 

clipboard_image_0.png

@CliveWatson Looking more into the queries on the page, If load the Finished Query (almost) I get no data returned because the MaliciousIP is always empty.

 

Which, I guess, brings me back to my original question (more or less), how would that field get filled in? :)

@Gary Bushey 

I spoke to this in my first reply.

 

This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.

Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?  

clipboard_image_1.png


If this counter on the map is Zero - then we dont have a match.  Essentially there is a feed of known Malicious IP addresses, if they correlate / match one that is seen in your logs then the counter goes from zero to 1 etc...   e.g. there is known IP of 1.1.1.1 and it was seen in your CEF logs (CommonsecuityLog), so that device (probably a Firewall) has a match with a know malicious IP . 

 

For this to occur you need to have a machine on the Internet (Public IP) and for it to get probed with a Malicious IP into one of the six tables we check.  If you have no machines on the internet or are blocking the log data in some way - you may not see these? 

 

Not having any Malicious IPs is a good thing - but you may want to carefully test this by exposing a machine (isolated from your others) for a short while to prove the capability is working.

 

 

 

 

 

 

@CliveWatson OK, it has gotten through my thick skull finally.  Thanks for all the help yet again.

Hi @CliveWatson 

 

Does that mean only logs ingested through CEF can be leveraged for geo mapping and malicious IP identification functionality ? Currently I am ingesting all the logs through rest API into custom tables that includes firewall logs that has most of the required information. Is it possible to work with custom tables to perform same function as of the CEF logs (CommonsecuityLog) for achieving the same goal ?

@Deepanshu_Marwah 

 

There are 11 geo spatial queries you can use, this is one https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-distance-2points-function

They need a Longitude and Latitude to work, so that can come from any Table, from a query or in a workbook. 

The Map on the Azure Sentinel Overview page, uses 6 specific tables.  You can't alter that but you can take that query and use it yourself, like I did in the Workbook https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-tr...

 

A KQL example from the Help

print distance_in_meters = geo_distance_2points(-122.407628, 47.578557, -118.275287, 34.019056)


You can use any Table 

VMConnection
| project RemoteLongitude, RemoteLatitude
| serialize 
| extend distanceTo = geo_distance_2points(RemoteLongitude, RemoteLatitude, prev(RemoteLongitude), prev(RemoteLatitude))
| order by distanceTo desc

, just replace "VMconnection" with your own table name, and pick the columns, that have your Longitude and Latitude in.   This is an example query and not a good one, just to illustrate my point. 

You can do this in a Query like above, or take the same Query and use in a Workbook, or a Sentinel Analytics rule or Hunting query etc...