Traffic Analytics Malicious IPs

JohnSebastian-3934 441 Reputation points
2022-05-11T16:55:39.517+00:00

We have NSG FLow logs turned on for all of our NSGs. Looking in Traffic Analytics from the Network Watcher Azure Portal, if I click on the hot link named Malicious IPs, it drops me into a Log Analytics Query window with this query showing:

AzureNetworkAnalyticsIPDetails_CL
| where SubType_s == 'FlowLog' and FlowType_s == 'MaliciousFlow'
| distinct
IP_s,
PublicIPDetails_s,
Location_s,
FlowIntervalStartTime_t,
ThreatType_s,
ThreatDescription_s,
DNSDomain_s

The results are shown which is cool.
If I open for example, the first row to see the details, the data item named ThreatDetection_s has this text:

"MSTIC HoneyPot: An attacker used a brute force attack to gain access to a service or device"

The above wording is VERY concerning because the text indicates that an attack was successful by "gaining access" to a service or device.

Further investigation in Log Analytics shows that ALL of these attempts were denied access by the NSG. This message wording needs to be changed to indicated a potential threat, not an actual threat.
The wording could be: "An attacker used a brute force attack to attempt to access a service or device and should be investigated further."

WORDS MATTER and Microsoft Engineers and Project Managers need to very clear on what they choose to notify users.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,509 questions
{count} votes

1 answer

Sort by: Most helpful
  1. risolis 8,721 Reputation points
    2022-05-12T00:03:16.233+00:00

    Many thanks for your reply back.

    Your concern is always valid and what I gave you before were just observations that might or not fit depends on your environment.

    Now based on your request, you need to state this alert correctly on this article below:

    https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema

    Looking forward to your feedback.

    BR,


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.