This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 48%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi community,
We are unable to detect outbound malicious traffic coming from AWS. AWSVPCFLOW does not have the malicious IP details. We are using AWS S3 Connector that is available in Sentinel for AWS connectivity. We are sending detailed flow logs to sentinel.
But we can see our servers are communicating with malicious IP addresses reported by Threat Intelligence.
We have contacted Microsoft Support multiple times, and they are repeatedly saying that it is not the fault of sentinel, it's working as expected.
This table does not have malicious IP details. AWS never report Malicious IP addresses.
No option found where we can customize the built-in query for outbound events. How can we add joint for AWSVPCFLOW to communicate with the tables that have malicious IP details?
Let me break this down a bit:
You have the AWD data connector enabled. That connector creates three tables including AWSVPCFlow. This table provides a source and destination IP address.
You are seeing IPs in this table that appear to be malicious. Yes? Which threat intelligence provider are you using to reach the verdict? Do you have these same IPs listed as indicators in the Sentinel Threat Intelligence section?
Sentinel has two primary TI mapping options. The first is a Microsoft Threat Intelligence rule comparing Security Graph IOCs to a limited set of tables. The second is a bring-your-own-TI solution. You add indicators manually or automatically using TAXII or an API-based connector. The Threat Intelligence section in the portal. These indicators are mapped to various entities by "TI Map" rules available in the analytic rule templates.
You may be referring to the malicious IP mapping seen in the overview page. Thie is a non-alerting enrichment that happens on the backend for a limited set of tables. No options are provided to customize this view. Nice to look at but largely pointless due to the limited scope and lack of alerts. You won't see AWSVPCFlow here any time soon.
There is a "TI map IP entity to AWSCloudTrail rule template. This checks the AWSCloudTrail table for IP indicators that have been collected in the Threat Intelligence section. You need to set up a TI feed for this to be effective. The rule does not look at the AWSVPCFlow table. You could use this rule as an example and create a custom rule for AWSVPCFlow if these IPs are not part of the AWSCloudTrail table.
So currently, no TI mapping on AWSVPCFlow but it would not be too difficult to configure.
Hi @Andrew Blumhardt ,
Thanks for sharing such detailed answer. Let me answer your queries first.
You are seeing IPs in this table that appear to be malicious. Yes? Which threat intelligence provider are you using to reach the verdict? Do you have these same IPs listed as indicators in the Sentinel Threat Intelligence section?
You are seeing IPs in this table that appear to be malicious. Yes?
Yes, some of the public IP's appear here are malicious, this is verified by a custom rule that we have already mapped AWSVPCFlow with Threat Intel Table. This rule is throwing alerts, but not for outbound traffic.
Which threat intelligence provider are you using to reach the verdict?
We are currently using a built-in TAXII connector for Anomaly Limo, along with a custom solution for AlienVault-OTX threat intel through Microsoft Graph TI API.
Do you have these same IPs listed as indicators in the Sentinel Threat Intelligence section?
Yes, as I already mentioned, the custom rule. These IPs are also listed in Threat Intel Section.
I am wondering why sentinel's outbound rule is missing the threat intel data table and also AWSVPCFlow as a source.
Ah, so have a custom rule for https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log-webhook mapping Anomaly and AlienVault indicators. It sounds like all you need to do is to revise this rule to use the outbound IP column, right? AWSVPCFLOW has outbound IPs. You could always add a playbook to bring in a TI report as a comment after the IP is flagged.
Yes I'm thinking abount taking these required columns to TI with some more customizations and IP Geoloacation data, thata actually is being used and required for outbound rules to detect malicious events.
Microsoft's MSTIC team is responsible for these rules. You might try Sentinel User Voise to raise recommendations. I can't speak for the rule author's choices. Happy to share your feedback internally.
https://www.microsoft.com/security/blog/microsoft-security-intelligence/
@Muhammad Sajid Khan
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.