We have NSG FLow logs turned on for all of our NSGs. Looking in Traffic Analytics from the Network Watcher Azure Portal, if I click on the hot link named Malicious IPs, it drops me into a Log Analytics Query window with this query showing:
AzureNetworkAnalyticsIPDetails_CL
| where SubType_s == 'FlowLog' and FlowType_s == 'MaliciousFlow'
| distinct
IP_s,
PublicIPDetails_s,
Location_s,
FlowIntervalStartTime_t,
ThreatType_s,
ThreatDescription_s,
DNSDomain_s
The results are shown which is cool.
If I open for example, the first row to see the details, the data item named ThreatDetection_s has this text:
"MSTIC HoneyPot: An attacker used a brute force attack to gain access to a service or device"
The above wording is VERY concerning because the text indicates that an attack was successful by "gaining access" to a service or device.
Further investigation in Log Analytics shows that ALL of these attempts were denied access by the NSG. This message wording needs to be changed to indicated a potential threat, not an actual threat.
The wording could be: "An attacker used a brute force attack to attempt to access a service or device and should be investigated further."
WORDS MATTER and Microsoft Engineers and Project Managers need to very clear on what they choose to notify users.