Comments (6)
The Detections are meant to be used as is, but in some cases may need some tuning for a given environment. The HighConfTIDetection is looking at connections that contain a MaliciousIP which is identified by our internal TI feed and automatically joined to the Firewall data as context. While our TI team tries to keep this from getting stale or incorrect data, it is possible the TI is incorrect. In the case of the HighConfTIDetection, it looks like we missed making sure it was a connection versus a blocked connection. If you have other detections that are firing alerts that are incorrect or inconclusive, can you submit additional Issues for those or potentially use our request feedback form to send directly to my team. The form is at the bottom of this Blog - https://techcommunity.microsoft.com/t5/Azure-Sentinel/Azure-Sentinel-Blog-Table-of-Contents/ba-p/731727
I am out of the office until Wednesday, but will have someone look at the HighConfTIDetection while I am out.
Thanks,
Shain
from azure-sentinel.
@DSharpPro thanks for the feedback, as @shainw said we want to filter out blocked connections. I have made some changes to a couple of rules including HighConfTIDetection.txt, you can see what we have done in the PR (#214).
Please give this updated query a test in your Sentinel workspace and let us know if this improves the fidelity of this detection. We create these queries with the aim to be as widely applicable as possible but vendor log messages differ so we might not have quite the right syntax for every vendor. Can you let us know what firewall vendor you are using and I can try and make sure that is covered in the scope of this query.
Thanks,
Pete
from azure-sentinel.
@DSharpPro - Thanks for the participation in general and if you happen to be at Blackhat our team will be at Blackhat and several of us will be at the Azure Sentinel booth, including Pete who did the fix you mentioned above. Hope to see you and any of our other Github contributors. Thanks Shain
from azure-sentinel.
Hi @petebryan, @shainw,
We have now updated the queries to reflect the changes you've made. We are running Cisco ASA's.
Also, is it possible to get a list of "malicious IP's" from Microsoft so we can upload to our firewalls so the block list contains both Cisco and Microsoft's data base?
Thanks,
from azure-sentinel.
Hey @DSharpPro,
That is not exposed directly that I know of, but I will see if there is a possibility of doing so.
Shain
from azure-sentinel.
@DSharpPro - I chatted with our internal TI folks, I was explained that at this time Microsoft does not expose any TI feeds to the public.
from azure-sentinel.
Related Issues (20)
- `currentGroup_s` Column Missing in New Darktrace Deployments HOT 1
- Creating a new custom log (DCR Based) doe not give you the option to specify a data source location HOT 4
- "Custom logs via AMA" content does not allow creating a DCR HOT 4
- Microsoft Sentinel - JIRA connector not working HOT 12
- Microsoft Sentinel - GSuite GCP IAM Connector - 403 Forbidden HOT 2
- 2 different rules have the same name HOT 2
- Creating OracleWebLogicServer DCR using the Custom AMA Solution reports error "length should be 32 characters or less" HOT 10
- ServiceNow Instructions Need Updating HOT 2
- ServiceNow Sentinel Plugin - Move API URL Feature HOT 1
- Unable to open Custom logs via AMA dataconnector HOT 3
- MimecastAudit Data Connector Function App HOT 14
- Palo Pan-OS connector deprecation of AMA connector HOT 1
- Azure Sentinel Solution Defender XDR missing fields in table DeviceProcessEvent HOT 8
- Entity mapping issue - Anomalous Single Factor Signin - Cloud Applicaton HOT 3
- Logic App failure with "An action failed. No dependent actions succeeded " and Bad request in Http HOT 5
- [SAP Solutions Connector] Outage of collector and getting historical data HOT 1
- Condition Logic Issue | Anomalous Sign-in Activity HOT 3
- Installer script breaks rsyslog due to bad SELinux context on new config file HOT 4
- Deprecated Barracuda CloudGen Firewall dataconnector HOT 1
- Custom logs via AMA (Preview) - DCR rule name length should be 32 characters or less. HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-sentinel.