Can someone help me understand what the source is for the enrichment fields that are added as they are outlined here: https://docs.microsoft.com/en-us/azure/sentinel/cef-name-mapping#enrichment-fields?
According to the documentation, the MaliciousIP field lists any IP addresses in the message that correlates with the current threat intelligence feed. My assumption was that the threat intelligence feed would be in ThreatIntelligenceIndicator but it doesn't seem like that's the case. We have an analytic that is looking for MaliciousIP to be populated and it's hitting on an IP that we don't have listed from any of our current TAXII feeds.
Ideally, I'd like to know if there's a way to "whitelist" an IP to prevent it from matching for enrichment without hardcoding it into the analytic but it would also be helpful to understand what source is being used for this data as well and if it's within our control.
Thanks!

