Closed rweirtbg closed 1 year ago
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi @devikamehra, can you please look into this issue?
Hi @rweirtbg we are working on this issue with the concerned team, will update you once we hear back from them, thanks!
@rweirtbg Thank you for the suggestion. We will accommodate this change in future releases. But for now, you can modify the current query to fix these false positives.
Let us know if you need any further assistance otherwise we can close this by adding the suggestion as a workitem in our backlog.
Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond on it in the next 2 days. If we don't receive response, we will be closing this issue as per our standard procedures, thanks!
The Analytics rule mentioned above is using the statement on line 7 | where not(ipv4_is_private(DstIpAddr))
to avoid alerts of private address ranges. This is a build-in function as described in this article: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-privatefunction
Based on the documentation the function is working as expected as the CIDR 169.254.0.0/16 is not part of this function just like the 127.0.0.0/24 range.
@oshezaf @devikamehra I can add the exclusion of private ranges by adding a let PrivateRanges
statement including the ranges that are not picked up by the previous function.
Let me know if I need to create a PR for this.
Thanks for the update @azurekid
The Analytics rule mentioned above is using the statement on line 7
| where not(ipv4_is_private(DstIpAddr))
to avoid alerts of private address ranges. This is a build-in function as described in this article: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-privatefunctionBased on the documentation the function is working as expected as the CIDR 169.254.0.0/16 is not part of this function just like the 127.0.0.0/24 range.
@oshezaf @devikamehra I can add the exclusion of private ranges by adding a
let PrivateRanges
statement including the ranges that are not picked up by the previous function.Let me know if I need to create a PR for this.
Hi @azurekid thanks for the details you have provided please raise a PR for this and mention this issue in it, we will get it reviewed by the team, thanks!
Hi @rweirtbg we are waiting for @azurekid to raise PR, thanks!
Hi @azurekid we are waiting for update from you on this, thanks!
Hi I am currently on a holiday in Croatie with very limited internet coverage on the campsite. Will update once I will have access
Thanks for the update @azurekid please update us here once you have raised PR
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi @azurekid, please let us know once you have raised the PR.
Hi @azurekid, did you get a chance to a raise a PR?
Hi @azurekid, Did you raise a PR? Please provide some response that would be really appreciated..
Hi,
Sorry, Data is really horrible here. Got a 150 kbs connection 🙈 have created the code locally, buy not able to test due to connection limitations
Hi, I have created a PR #8690 for issue #8105
On line six I have added the following to define local ranges:
let LocalNetworks=dynamic(["169.254.0.0/16","127.0.0.0/8"]);
On line nine the results are filtered based on the LocalNetworks:
| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))
I also did some code alignment, fixed a typo in the description, and added 2 private ranges
All pipeline tests are completed successfully @rweirtbg @v-rbajaj
Hi @rweirtbg, thanks for raising the PR. We will soon review it and provide you an update.
Hi @rweirtbg, thanks for raising the PR. We will soon review it and provide you an update.
LoL, I made the PR, not @rweirtbg 😉
Hi @rweirtbg, thanks for raising the PR. We will soon review it and provide you an update.
LoL, I made the PR, not @rweirtbg 😉
Really sorry on that, thanks for raising the PR @azurekid, we are reviewing the PR and we will soon get back to you.
Hi all, we are still reviewing the PR, we will get back to you once there is an update.
Hi all, we are still reviewing the PR, we will get back to you once there is an update.
@v-rbajaj @azurekid PR is approved.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Describe the bug [Potential beaconing activity (ASIM Network Session schema)] (https://github.com/Azure/Azure-Sentinel/blob/a6593c2bb08c6cb6fbcaabdd961c83ef9f9b89b1/Solutions/Network%20Session%20Essentials/Analytic%20Rules/PossibleBeaconingActivity.yaml) does not filter out self-assigned IPs (169.254.0.0/16).
To Reproduce Trigger a beaconing alert with a destination of 169.254.0.0/16
Expected behavior We should not see alerts for traffic destined for 169.254.0.0/16 since that IP space is not routable.