question

ChrisSmith-6811 avatar image
0 Votes"
ChrisSmith-6811 asked vipulsparsh-MSFT answered

Sentinel CEF enrichment fields

Can someone help me understand what the source is for the enrichment fields that are added as they are outlined here: https://docs.microsoft.com/en-us/azure/sentinel/cef-name-mapping#enrichment-fields?

According to the documentation, the MaliciousIP field lists any IP addresses in the message that correlates with the current threat intelligence feed. My assumption was that the threat intelligence feed would be in ThreatIntelligenceIndicator but it doesn't seem like that's the case. We have an analytic that is looking for MaliciousIP to be populated and it's hitting on an IP that we don't have listed from any of our current TAXII feeds.

Ideally, I'd like to know if there's a way to "whitelist" an IP to prevent it from matching for enrichment without hardcoding it into the analytic but it would also be helpful to understand what source is being used for this data as well and if it's within our control.

Thanks!

azure-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChrisSmith-6811 Thanks for reaching out. Can you share the screenshot where you see that IP listed, also can you confirm if you have the Sentinel UEBA enabled as UEBA is also capable of doing Enrichment on basis of source IP.

0 Votes 0 ·

I can confirm that UEBA is enabled. I've included 2 screenshots, one showing the MaliciousIP field being populated in the CommonSecurityLog and the 2nd showing that the IP listed in the enriched field does not appear to exist within Threat Intelligence. I am seeing this same behavior across multiple Log Analytics workspaces, as well.

132376-screen-shot-2021-09-15-at-71031-am.png
132421-screen-shot-2021-09-15-at-71227-am.png


0 Votes 0 ·

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@ChrisSmith-6811 Thanks for sharing additional details with us. The Sentinel UEBA is also capable of providing the enrichment about IP addresses, in your case this is what is happening.
The IP address entity (now in preview) contains geolocation data supplied by the Microsoft Threat Intelligence service. This service combines geolocation data from Microsoft solutions and third-party vendors and partners. The data is then available for analysis and investigation in the context of a security incident.

You can read more at : https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.