Jan 24 2020 07:13 AM
What is needed to get items to show up on the Potential malicious event map on the Overview page? I read
and based on the query, I should have items show up here but I am not seeing anything.
Jan 25 2020 07:37 AM
Hi @Gary Bushey
When you run the first query in "Prepare your query" section you get no rows returned? This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.
Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?
Jan 25 2020 08:31 AM
@Gary Bushey you can work with query to grabs a data like, Longitude and Latitude, City and State etc..
You've many related Workbook in the Azure Sentinel GitHub like UserMap.json and others.
The following blog post can clarify a few points.
Jan 25 2020 08:56 AM
@CliveWatson that is the issue. When I run the query in the Logs page I get data but nothing shows up on the Potential Malicious events map. Does it ignore the time range selected at the top of the page as I had to go back a while to get data when running the query in the Logs page.
Jan 25 2020 08:58 AM
@Eli Shlomo thank you for your reply but I am asking specifically about the Potential malicious events map on the home page. I was able to get the information to show up in a workbook. 🙂
Jan 25 2020 12:56 PM
Jan 26 2020 03:31 AM
1. Yes its using the Time Picker Parameter (called [TimeRange] ). So in this screenshot you would see any data from the last 7days.
2. If you EDIT the workbook, and swap the visualization (see red arrow) from MAP to GRID do you still see data, when you "run query"? I do a Top 10 on the very last line, you can comment that out to see more data (if any).
Jan 26 2020 05:19 AM
@CliveWatson Yes I see data. I've attached the map image and the grid view shows the first 250 rows.
Jan 26 2020 05:25 AM
@CliveWatson If it is better to take this offline let me know and I will post the results here.
Jan 26 2020 07:15 AM
If you have circles on the map its working, you may also need to edit the default Lat and Long - as I set it to our office (the distances are calculated from there (in Miles) to the location we see the MaliciousIP). I seemed to have missed that on the instructions - sorry!
I'm planning to add a few major cities to the drop down's so you can select a default location - or add your own.
Jan 26 2020 12:11 PM
@CliveWatson Looking more into the queries on the page, If load the Finished Query (almost) I get no data returned because the MaliciousIP is always empty.
Which, I guess, brings me back to my original question (more or less), how would that field get filled in? 🙂
Jan 27 2020 03:26 AM
I spoke to this in my first reply.
This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.
Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?
If this counter on the map is Zero - then we dont have a match. Essentially there is a feed of known Malicious IP addresses, if they correlate / match one that is seen in your logs then the counter goes from zero to 1 etc... e.g. there is known IP of 1.1.1.1 and it was seen in your CEF logs (CommonsecuityLog), so that device (probably a Firewall) has a match with a know malicious IP .
For this to occur you need to have a machine on the Internet (Public IP) and for it to get probed with a Malicious IP into one of the six tables we check. If you have no machines on the internet or are blocking the log data in some way - you may not see these?
Not having any Malicious IPs is a good thing - but you may want to carefully test this by exposing a machine (isolated from your others) for a short while to prove the capability is working.
Jan 27 2020 05:17 AM
@CliveWatson OK, it has gotten through my thick skull finally. Thanks for all the help yet again.
Sep 23 2020 07:42 PM - edited Sep 23 2020 07:43 PM
Hi @CliveWatson
Does that mean only logs ingested through CEF can be leveraged for geo mapping and malicious IP identification functionality ? Currently I am ingesting all the logs through rest API into custom tables that includes firewall logs that has most of the required information. Is it possible to work with custom tables to perform same function as of the CEF logs (CommonsecuityLog) for achieving the same goal ?
Sep 24 2020 12:07 AM
There are 11 geo spatial queries you can use, this is one https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-distance-2points-function
They need a Longitude and Latitude to work, so that can come from any Table, from a query or in a workbook.
The Map on the Azure Sentinel Overview page, uses 6 specific tables. You can't alter that but you can take that query and use it yourself, like I did in the Workbook https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-tr...
A KQL example from the Help
print distance_in_meters = geo_distance_2points(-122.407628, 47.578557, -118.275287, 34.019056)
You can use any Table
VMConnection
| project RemoteLongitude, RemoteLatitude
| serialize
| extend distanceTo = geo_distance_2points(RemoteLongitude, RemoteLatitude, prev(RemoteLongitude), prev(RemoteLatitude))
| order by distanceTo desc
, just replace "VMconnection" with your own table name, and pick the columns, that have your Longitude and Latitude in. This is an example query and not a good one, just to illustrate my point.
You can do this in a Query like above, or take the same Query and use in a Workbook, or a Sentinel Analytics rule or Hunting query etc...