We have NSG FLow logs turned on for all of our NSGs. Looking in Traffic Analytics from the Network Watcher Azure Portal, if I click on the hot link named Malicious IPs, it drops me into a Log Analytics Query window with this query showing:
AzureNetworkAnalyticsIPDetails_CL
| where SubType_s == 'FlowLog' and FlowType_s == 'MaliciousFlow'
| distinct
IP_s,
PublicIPDetails_s,
Location_s,
FlowIntervalStartTime_t,
ThreatType_s,
ThreatDescription_s,
DNSDomain_s
The results are shown which is cool.
If I open for example, the first row to see the details, the data item named ThreatDetection_s has this text:
"MSTIC HoneyPot: An attacker used a brute force attack to gain access to a service or device"
The above wording is VERY concerning because the text indicates that an attack was successful by "gaining access" to a service or device.
Further investigation in Log Analytics shows that ALL of these attempts were denied access by the NSG. This message wording needs to be changed to indicated a potential threat, not an actual threat.
The wording could be: "An attacker used a brute force attack to attempt to access a service or device and should be investigated further."
WORDS MATTER and Microsoft Engineers and Project Managers need to very clear on what they choose to notify users.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.999999999999996%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ3%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 14.000000000000002%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENI%3C/text%3E%3C/svg%3E)