Where can I check to see the reason behind Azure Network Watcher Traffic Analytics label of MaliciousFlow?

Gregory Smith 41

I have a flow labeled as MaliciousFlow, and I would like to find out more why it was labeled as such. I don't see how the traffic is particularly malicious other than it was probably on a blacklist at a point in time. But if I am going to tell my boss about it, then I will need some more information to try and block the traffic. Where do I find more information?

I see that in the schema it is defined as: "MaliciousFlow: One of the IP addresses belong to an Azure virtual network, while the other IP address is a public IP that isn't in Azure and is reported as malicious in the ASC feeds that traffic analytics consumes for the processing interval between “FlowIntervalStartTime_t” and “FlowIntervalEndTime_t”."

Is there someplace for me to look at this info? I can't find it.

I have checked the table "AzureNetworkAnalyticsIPDetails_CL" for more information, but it doesn't tell me more than the flow log.

Sedat SALMAN 14,065 Reputation points MVP

2023-05-25T05:29:34.6966667+00:00

Azure Network Watcher Traffic Analytics labels a flow as "MaliciousFlow" when one of the IP addresses involved belongs to an Azure virtual network and the other IP is a public IP that isn't in Azure and is reported as malicious in the ASC (Azure Security Center) feeds that Traffic Analytics consumes during the processing interval-1: One of the IP addresses belong to an Azure virtual network, while the other IP address is a public IP that isn't in Azure and is reported as malicious in the ASC feeds that traffic analytics consumes for the processing interval between “FlowIntervalStartTime_t” and “FlowIntervalEndTime_t","pub_date":null}}`.

The "MaliciousFlow" designation is based on data from the "AzureNetworkAnalyticsIPDetails_CL" table in the Log Analytics workspace. This data provides information such as the IP address, threat type, threat description, and DNS domain for the malicious IP, as identified by Microsoft security intelligence solutions1.

Threat types include indicators such as botnet node/member, command & control node of a botnet, cryptomining/resource abuse, darknet node/network, DDos campaign, malicious URL, malware, phishing campaign, proxy service, potentially unwanted application, and others-1WatchList **should typically not be used by partners submitting data into the system","pub_date":null}}**.

In addition to this, you can utilize NSG (Network Security Group) flow logs to diagnose and validate your network configurations. The NSG flow information includes timestamp, source IP, destination IP, source port, destination port, and protocol, the Network Security Group, and the security rule. This data can be visualized using Microsoft tools such as Power BI, as well as security information and event management tools provided by third-party partners and open source tools2.

So, to investigate why a specific flow was labeled as "MaliciousFlow", you would need to examine the data in the "AzureNetworkAnalyticsIPDetails_CL" table for the corresponding IP address and review the threat type, threat description, and associated DNS domain. Also, you can look at the NSG flow logs to get more details about the flow itself.
Gregory Smith 41 Reputation points

2023-05-25T06:48:50.1566667+00:00

I have looked at that and it doesn't tell me the information as you describe. I mentioned above.

All I get when I look in that table is the following as far as I can see:

TenantId

SourceSystem

TimeGenerated [UTC]

SubType_s

FASchemaVersion_s

FlowIntervalStartTime_t[UTC]

FlowIntervalEndTime_t[UTC]

IP_s

FlowType_s

PublicIPDetails_s

Location_s

Type
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-05-25T09:33:09.8933333+00:00

@Gregory Smith

Below is the response from our Internal team, who provides us the information for tagging malicious IPs.
"There are various sources which do the scanning of IPs and provide feed to our service continuously for potentially malicious IPs. Since this is just an indicator, there can be false positives. The customer has to deep dive to get to the root of it."

“While an IP/domain can be reported as malicious by one of our partners, there is always the possibility of a false positive. In cases like this, the report should be an indicator and not necessarily considered definitive. The customer or other entity should validate independently if the IP is malicious. The customer will need to validate if this domain was requested in their DNS logs, and if it resolved the IP matching, if it does they may wish to perform follow-on investigation in DHCP logs etc, to identify the host that requested the domain. Please suggest your customer to run anti-malware scan on that VM to be on the safe side.”

Feel free to let me know if I can assist with any further information/clarification.

Awaiting your response.

Cheers,

Kapil
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-05-25T09:40:33.4933333+00:00

@Gregory Smith

Also, If you can provide me a list of IPs, I will try to provide you the information we have by checking internally.

Cheers,

Kapil
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-05-26T06:05:27.6266667+00:00

@Gregory Smith

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

If not, please close this thread by accepting the answer

Thanks,

Kapil
Gregory Smith 41 Reputation points

2023-05-26T08:11:49.0733333+00:00

You can check on these IPs listed as maliciousflow?

Take a look at these and let me know!
23.15.9.26

23.15.9.18

23.15.9.43

23.15.9.48

23.46.150.81

23.46.150.43

23.46.150.75

23.46.150.66

13.249.85.53

13.249.85.66

52.84.52.26

Mix of Akamai, and Cloudfront. Don't seem to be webpages. Could be mislabeled updates for clients, or content for the MS news bar thingy, or a malicious horde of CnC traffic slowly infiltrating my network. I hope that you tell me that it is the former, and not the latter.
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-05-26T08:31:20.1066667+00:00

@Gregory Smith

Sure, please allow me some time.

I shall check the IPs with my internal team(s) and provide publicly sharable information here.

Cheers,

Kapil

KapilAnanth-MSFT 47,046 Microsoft Employee

@Gregory Smith

Please find the details from our internal tool(s) below.

IP (s)	Reason
52.84.52.26, 13.249.85.66, 13.249.85.53	a phishing url
23.46.150.66, 23.46.150.75, 23.46.150.43, 23.46.150.81, 23.15.9.48, 23.15.9.43, 23.15.9.18, 23.15.9.26	IP Address was categorized as controller, C2

Please let us know if we can be of any further assistance.

If not, request you to kindly accept the answer and close this thread.

Cheers,

Kapil

Gregory Smith 41 Reputation points

2023-05-26T14:17:37.0166667+00:00

Ah crap, ok.

Accepted answer

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-05-25T06:51:09.94+00:00
@Gregory Smith

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are using Traffic Analytics and an IP logged is flagged as malicious and you would like to know how and why Microsoft considers this as malicious.

Traffic analytics relies on Microsoft internal threat intelligence systems to deem an IP as malicious.

These systems leverage diverse telemetry sources like Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds and build a lot of intelligence on top of it.

Some of this data is Microsoft Internal.

Hence, you will not be able to manually check the IPs considered as malicious by Microsoft publicly.

Now, if you or your organization own this IP and you believe IP is getting flagged malicious incorrectly by Microsoft, you should raise a support ticket to know the details on why and next steps on how to mitigate it.

Please refer : How does traffic analytics decide that an IP is malicious?

If you have a support plan please go ahead and file a support ticket.

If not, do let us know and I shall try and help you get a one-time free technical support.

I hope I was able to make things clear. I would highly appreciate if you could Accept the answer and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Should you have any further query do let me know, I would be more than happy to address them as always :)

Cheers,

Kapil
Please sign in to rate this answer.
Gregory Smith 41 Reputation points

2023-05-25T07:08:09.13+00:00

I have support and my Azure instance is up and running with various subscriptions. It would be better if there was something consistent that I could use to look and research for my IR or regular reporting that's within the Azure instance. I will try a support ticket and see what they say. To do that every time is a bit ridiculous. It'd be nicer and more convenient if the table "AzureNetworkAnalyticsIPDetails_CL" had the data, but I just don't see it there.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-05-25T07:25:35.7966667+00:00

@Gregory Smith

I understand your concern and I believe this is deliberately vague to prevent malicious actors from exploiting the system.

However, I shall reach out to the Network Watcher ProductGroup Team to discuss this requirement, and see if we can check why Microsoft consider an IP malicious and I will share that detail with you if publicly shareable.

You can also post this feedback in Azure Feedback Hub.

All the feedback shared in these forums are monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

What I would suggest is to make a list of IPs that are reported malicious and get them clarified in a single support ticket.

I see that your experience for this thread is rated as not helpful.

However, the survey we are taking is testimony of our team providing timely attention to reported issue and I believe we have addressed your query to the best of our knowledge and product design/limitations/documentations currently at the platform.

If you feel our team members or the community have been providing right level of support and your scenario has got a timely response, we would like to request you to reconsider the feedback.

Your encouragement and involvement help us improve our customer experience and our Azure services.

We are eager to know what we could do better to evolve this experience to a 5* star rating.

Your candid feedback is very important to us.

Looking forward to your reply.

Cheers,

Kapil

Nicolas Coimbra 0 Reputation points

2023-09-13T02:57:30.92+00:00

Hi Kapil, why is Google DNS (8.8.8.8) detected as malicious traffic?

Thanks.

Regards.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-09-13T05:00:19.6633333+00:00

Nicolas Coimbra ,

That is strange.

Can you please share the logs for the same?

Cheers,

Kapil

Nicolas Coimbra 0 Reputation points

2023-09-13T14:13:26.5166667+00:00

@KapilAnanth-MSFT for sure:

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-09-19T05:01:42.7366667+00:00

Nicolas Coimbra ,

I have communicated the same to our Internal teams and they have confirmed they are working on it.

This should be resolved soon.

As mentioned earlier,

Traffic analytics relies on Microsoft internal threat intelligence systems to deem an IP as malicious.

These systems leverage diverse telemetry sources like Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds and build a lot of intelligence on top of it.

Some of this data is Microsoft Internal

Should an IP owned by you or your ISP is flagged malicious, the recommendation is to raise a support ticket to know the details on why and next steps on how to mitigate it.

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Where can I check to see the reason behind Azure Network Watcher Traffic Analytics label of MaliciousFlow?

0 additional answers

Your answer