question

JohnSebastian-3934 avatar image
0 Votes"
JohnSebastian-3934 asked ricardosolisvillegas-4678 answered

Traffic Analytics Malicious IPs

We have NSG FLow logs turned on for all of our NSGs. Looking in Traffic Analytics from the Network Watcher Azure Portal, if I click on the hot link named Malicious IPs, it drops me into a Log Analytics Query window with this query showing:

AzureNetworkAnalyticsIPDetails_CL
| where SubType_s == 'FlowLog' and FlowType_s == 'MaliciousFlow'
| distinct
IP_s,
PublicIPDetails_s,
Location_s,
FlowIntervalStartTime_t,
ThreatType_s,
ThreatDescription_s,
DNSDomain_s


The results are shown which is cool.
If I open for example, the first row to see the details, the data item named ThreatDetection_s has this text:

"MSTIC HoneyPot: An attacker used a brute force attack to gain access to a service or device"


The above wording is VERY concerning because the text indicates that an attack was successful by "gaining access" to a service or device.

Further investigation in Log Analytics shows that ALL of these attempts were denied access by the NSG. This message wording needs to be changed to indicated a potential threat, not an actual threat.
The wording could be: "An attacker used a brute force attack to attempt to access a service or device and should be investigated further."

WORDS MATTER and Microsoft Engineers and Project Managers need to very clear on what they choose to notify users.

azure-network-watcher
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JohnSebastian-3934

Welcome to Microsoft Q&A space.

I fully understand your concern on this and this could be something to start worrying about it.

Now, I would like to bring back one of your statement as the one below:

The above wording is VERY concerning because the text indicates that an attack was successful by "gaining access" to a service or device.

Now this is letting you know about the attack but it does not mean that the attacker penetrate your VM or System....

Now I wonder if you protect all the perimeter... For instance, Besides of putting a NSG using a logging statement.

Do you use Service principal or username/passwords for identity on your Azure resources???
Do you have any NVA devices for inspection and force tunneling your traffic?
Do you keep the default behavior of system routes? So, all your resources has access to internet...

Looking forward to your feedback.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.









Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·
JohnSebastian-3934 avatar image JohnSebastian-3934 ricardosolisvillegas-4678 ·

My comment I believe is still relevant. Your the wording of your message returned in ThreatDetection_S indicates that an attack was successful.
The wording should be changed to indicate that an attack was attempted.

"MSTIC HoneyPot: An attacker used a brute force attack to gain access to a service or device"

The attacker did not gain access thus this message is an unnecessary alarmist message. I would only use the exact wording above if in fact, your system determined that a successful attack had taken place. If you system is able to determine whether or not a successful attack has taken place, then it should indicate that in the message. If you system does not know if a successful attack has taken place, your message should indicate that it is possible that an attacker was successful and that the user should perform further research. You shouldn't be giving users the impression that a successful attack has occurred when in fact, it has not.

We are a small project without highly experienced Network engineers. I suspect that many users of Azure do not have highly trained network engineers on their staffs. We put NSGs in front of all of our SNETS based on Azure Documentation. For several of our web applications that are internet facing, we use Azure Front Door and only allow traffic to the web app through the Front Door. We don't have any additional special inspection or forced tunneling devices and we are using default routing provided by the Azure services we have deployed. We are an Azure only project. There is no on-prem integration.

0 Votes 0 ·

1 Answer

ricardosolisvillegas-4678 avatar image
0 Votes"
ricardosolisvillegas-4678 answered

Many thanks for your reply back.

Your concern is always valid and what I gave you before were just observations that might or not fit depends on your environment.

Now based on your request, you need to state this alert correctly on this article below:

https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema

Looking forward to your feedback.

BR,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.