SOLVED

Where does the MaliciousIP field come from in this query?

%3CLINGO-SUB%20id%3D%22lingo-sub-2275106%22%20slang%3D%22en-US%22%3EWhere%20does%20the%20MaliciousIP%20field%20come%20from%20in%20this%20query%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275106%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20the%20query%20for%20the%20Potential%20Malicious%20Events%20map%20on%20the%20Azure%20Sentinel%20homepage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunion%20isfuzzy%3Dtrue%3CBR%20%2F%3E(W3CIISLog%3CBR%20%2F%3E%7C%20extend%20TrafficDirection%20%3D%20%22InboundOrUnknown%22%2C%20Country%3DRemoteIPCountry%2C%20Latitude%3DRemoteIPLatitude%2C%20Longitude%3DRemoteIPLongitude)%2C%3CBR%20%2F%3E(DnsEvents%3CBR%20%2F%3E%7C%20extend%20TrafficDirection%20%3D%20%22InboundOrUnknown%22%2C%20Country%3D%20RemoteIPCountry%2C%20Latitude%20%3D%20RemoteIPLatitude%2C%20Longitude%20%3D%20RemoteIPLongitude)%2C%3CBR%20%2F%3E(WireData%3CBR%20%2F%3E%7C%20extend%20TrafficDirection%20%3D%20iff(Direction%20!%3D%20%22Outbound%22%2C%20%22InboundOrUnknown%22%2C%20%22Outbound%22)%2C%20Country%3DRemoteIPCountry%2C%20Latitude%3DRemoteIPLatitude%2C%20Longitude%3DRemoteIPLongitude)%2C%3CBR%20%2F%3E(WindowsFirewall%3CBR%20%2F%3E%7C%20extend%20TrafficDirection%20%3D%20iff(CommunicationDirection%20!%3D%20%22SEND%22%2C%20%22InboundOrUnknown%22%2C%20%22Outbound%22)%2C%20Country%3DMaliciousIPCountry%2C%20Latitude%3DMaliciousIPLatitude%2C%20Longitude%3DMaliciousIPLongitude)%2C%3CBR%20%2F%3E(CommonSecurityLog%3CBR%20%2F%3E%7C%20extend%20TrafficDirection%20%3D%20iff(CommunicationDirection%20!%3D%20%22Outbound%22%2C%20%22InboundOrUnknown%22%2C%20%22Outbound%22)%2C%20Country%3DMaliciousIPCountry%2C%20Latitude%3DMaliciousIPLatitude%2C%20Longitude%3DMaliciousIPLongitude%2C%20Confidence%3DThreatDescription%2C%20Description%3DThreatDescription)%2C%3CBR%20%2F%3E(VMConnection%3CBR%20%2F%3E%7C%20where%20Type%20%3D%3D%20%22VMConnection%22%3CBR%20%2F%3E%7C%20extend%20TrafficDirection%20%3D%20iff(Direction%20!%3D%20%22outbound%22%2C%20%22InboundOrUnknown%22%2C%20%22Outbound%22)%2C%20Country%3DRemoteCountry%2C%20Latitude%3DRemoteLatitude%2C%20Longitude%3DRemoteLongitude)%3CBR%20%2F%3E%7C%20where%20isnotempty(MaliciousIP)%20and%20isnotempty(Country)%20and%20isnotempty(Latitude)%20and%20isnotempty(Longitude)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20the%20heck%20does%20that%20MaliciousIP%20field%20come%20from%3F%26nbsp%3B%20If%20I%20run%20the%20query%20without%20the%20last%20%22where%22%20clause%20I%20do%20not%20see%20it%20but%20when%20I%20run%20the%20entire%20query%20it%20shows%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

This is the query for the Potential Malicious Events map on the Azure Sentinel homepage.

 

union isfuzzy=true
(W3CIISLog
| extend TrafficDirection = "InboundOrUnknown", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude),
(DnsEvents
| extend TrafficDirection = "InboundOrUnknown", Country= RemoteIPCountry, Latitude = RemoteIPLatitude, Longitude = RemoteIPLongitude),
(WireData
| extend TrafficDirection = iff(Direction != "Outbound", "InboundOrUnknown", "Outbound"), Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude),
(WindowsFirewall
| extend TrafficDirection = iff(CommunicationDirection != "SEND", "InboundOrUnknown", "Outbound"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude),
(CommonSecurityLog
| extend TrafficDirection = iff(CommunicationDirection != "Outbound", "InboundOrUnknown", "Outbound"), Country=MaliciousIPCountry, Latitude=MaliciousIPLatitude, Longitude=MaliciousIPLongitude, Confidence=ThreatDescription, Description=ThreatDescription),
(VMConnection
| where Type == "VMConnection"
| extend TrafficDirection = iff(Direction != "outbound", "InboundOrUnknown", "Outbound"), Country=RemoteCountry, Latitude=RemoteLatitude, Longitude=RemoteLongitude)
| where isnotempty(MaliciousIP) and isnotempty(Country) and isnotempty(Latitude) and isnotempty(Longitude)

 

Where the heck does that MaliciousIP field come from?  If I run the query without the last "where" clause I do not see it but when I run the entire query it shows up.

2 Replies
best response confirmed by Gary Bushey (Valued Contributor)
Solution
We have looked into this somewhat as well. If you pull up the log table for something like CommonSecurityLog/Zscaler/WindowsFireWall) you will see that MaliciousIP (and Mal Lat/Long/Country) are already in those tables. You will need to make sure those boxes are checked in the Columns Drop down in the results. When you do see them almost all of them are empty. It seems that those boxes DO get filled in as the logs come in and match a corresponding Malicious entity that exists in the tables of ThreatIntelligenceIndicators or are a part of the Threat Intel Data Connector, or even part of the "under the hood" threat intel that MSFT provides. I think there is a bit of "under the hood" stuff going on as logs come in, which makes this different than say a lookback on DNS requests compared to Domains in the TIindicators.

I have not checked if the MalciousIP table columns exist before Threat Intel is turned on - but might fun to check when spinning up your next instance.
Got it. It is strange, I thought that when you opened a result using the greater than sign on the left it would show all the columns. I guess I was wrong. Thanks for the answer