Sentinel CEF enrichment fields

Question

Can someone help me understand what the source is for the enrichment fields that are added as they are outlined here: https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping#enrichment-fields?

According to the documentation, the MaliciousIP field lists any IP addresses in the message that correlates with the current threat intelligence feed. My assumption was that the threat intelligence feed would be in ThreatIntelligenceIndicator but it doesn't seem like that's the case. We have an analytic that is looking for MaliciousIP to be populated and it's hitting on an IP that we don't have listed from any of our current TAXII feeds.

Ideally, I'd like to know if there's a way to "whitelist" an IP to prevent it from matching for enrichment without hardcoding it into the analytic but it would also be helpful to understand what source is being used for this data as well and if it's within our control.

Thanks!

Answer 1

@Chris Smith Thanks for sharing additional details with us. The Sentinel UEBA is also capable of providing the enrichment about IP addresses, in your case this is what is happening.
The IP address entity (now in preview) contains geolocation data supplied by the Microsoft Threat Intelligence service. This service combines geolocation data from Microsoft solutions and third-party vendors and partners. The data is then available for analysis and investigation in the context of a security incident.

You can read more at : https://learn.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics

-----------------------------------------------------------------------------------------------------------------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.