AMA Local IP Layer information

%3CLINGO-SUB%20id%3D%22lingo-sub-2444217%22%20slang%3D%22en-US%22%3EAMA%20Local%20IP%20Layer%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2444217%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20our%20MSSP%20SOC%20service%20we%20use%20Azure%20Sentinel%20and%20have%20onboarded%20all%20our%20on-premises%20machines%20to%20LogAnalytics%20with%20the%20AMA.%20When%20we%20investigate%20behaviour%20from%20workstations%20and%20find%20suspicious%20behaviour%2C%20we%20often%20like%20to%20provide%20granular%20information%20about%20this%20workstation.%20It%20would%20be%20desirable%20to%20add%20a%20local%20source%20address%20for%20the%20specific%20machine.%20However%2C%20in%20Azure%20Sentinel%20we'd%20only%20see%20the%20outbound%20addresses%20from%20the%20premises%20in%20our%20logging.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20for%20us%20to%20deduct%2Ffind%20the%20local%20addresses%20of%20machines%20which%20have%20an%20Azure%20Agent%20or%20would%20we%20have%20to%20onboard%20additional%20events%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2444217%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Monitor%20Agent%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMonitoring%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMonitoring%20On-Premises%20Active-Directory%20for%20Health%20%26amp%3B%20Risk%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

For our MSSP SOC service we use Azure Sentinel and have onboarded all our on-premises machines to LogAnalytics with the AMA. When we investigate behaviour from workstations and find suspicious behaviour, we often like to provide granular information about this workstation. It would be desirable to add a local source address for the specific machine. However, in Azure Sentinel we'd only see the outbound addresses from the premises in our logging.

 

Is there a way for us to deduct/find the local addresses of machines which have an Azure Agent or would we have to onboard additional events?

0 Replies