One good way to safeguard your servers is to ensure that they aren’t communicating with any Malicious IP addresses. In OMS we now provide you a centralized view showing all the known malicious IP’s your managed server\client may be communicating with. Working with the Microsoft Threat Intelligence Center (MSTIC) we are now able to get hourly updates on the latest known malicious IP’s and inform you if any of your servers may be compromised. The MSTIC team works with various 3 rd party threat intelligence partners to gather and provide this consolidated list to our service.
The malicious IP view can be found inside the Security & Audit solution in the OMS portal.
You can drill down into this tile and view the complete list of distinct suspicious IP Addresses your devices may be communicating with. We scan all the data sources feeding into Operations Management Suite such as 1. Firewall Logs 2. IIS Logs and 3. WireData
We provide you several useful fields such as the threat type for example if it is a botnet, proxy, darknet, malware command and control node, a description of the threat type and our confidence level that the IP address is malicious. This is the data that Microsoft uses to protect itself which we are now making available to our OMS customers.
If you would like to see a list of all the servers in your environment that maybe communicating to a malicious IP you could use this query: IsActive=True | measure count() by Computer
We look forward to you using this new capability and hope to get your feedback. If you have any comments of suggestions please feel free to post it on our UserVoice forum.
Satya Vel
Program Manager for Operations Management Suite