Potential beaconing activity (ASIM Network Session schema) does not filter 169.254.0.0/16

[rweirtbg]

Describe the bug [Potential beaconing activity (ASIM Network Session schema)] (https://github.com/Azure/Azure-Sentinel/blob/a6593c2bb08c6cb6fbcaabdd961c83ef9f9b89b1/Solutions/Network%20Session%20Essentials/Analytic%20Rules/PossibleBeaconingActivity.yaml) does not filter out self-assigned IPs (169.254.0.0/16).

To Reproduce Trigger a beaconing alert with a destination of 169.254.0.0/16

Expected behavior We should not see alerts for traffic destined for 169.254.0.0/16 since that IP space is not routable.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-rbajaj]

Hi @devikamehra, can you please look into this issue?

[v-vdixit]

Hi @rweirtbg we are working on this issue with the concerned team, will update you once we hear back from them, thanks!

[devikamehra]

@rweirtbg Thank you for the suggestion. We will accommodate this change in future releases. But for now, you can modify the current query to fix these false positives.

[devikamehra]

Let us know if you need any further assistance otherwise we can close this by adding the suggestion as a workitem in our backlog.

[v-vdixit]

Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond on it in the next 2 days. If we don't receive response, we will be closing this issue as per our standard procedures, thanks!

[azurekid]

The Analytics rule mentioned above is using the statement on line 7 | where not(ipv4_is_private(DstIpAddr)) to avoid alerts of private address ranges. This is a build-in function as described in this article: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-privatefunction

Based on the documentation the function is working as expected as the CIDR 169.254.0.0/16 is not part of this function just like the 127.0.0.0/24 range.

@oshezaf @devikamehra I can add the exclusion of private ranges by adding a let PrivateRanges statement including the ranges that are not picked up by the previous function.

Let me know if I need to create a PR for this.

[v-vdixit]

Thanks for the update @azurekid

[v-vdixit]

The Analytics rule mentioned above is using the statement on line 7 | where not(ipv4_is_private(DstIpAddr)) to avoid alerts of private address ranges. This is a build-in function as described in this article: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-is-privatefunction

Based on the documentation the function is working as expected as the CIDR 169.254.0.0/16 is not part of this function just like the 127.0.0.0/24 range.

@oshezaf @devikamehra I can add the exclusion of private ranges by adding a let PrivateRanges statement including the ranges that are not picked up by the previous function.

Let me know if I need to create a PR for this.

Hi @azurekid thanks for the details you have provided please raise a PR for this and mention this issue in it, we will get it reviewed by the team, thanks!

[v-vdixit]

Hi @rweirtbg we are waiting for @azurekid to raise PR, thanks!

[v-vdixit]

Hi @azurekid we are waiting for update from you on this, thanks!

[azurekid]

Hi I am currently on a holiday in Croatie with very limited internet coverage on the campsite. Will update once I will have access

[v-vdixit]

Thanks for the update @azurekid please update us here once you have raised PR

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-rbajaj]

Hi @azurekid, please let us know once you have raised the PR.

[v-rbajaj]

Hi @azurekid, did you get a chance to a raise a PR?

[v-rbajaj]

Hi @azurekid, Did you raise a PR? Please provide some response that would be really appreciated..

[azurekid]

Hi,

Sorry, Data is really horrible here. Got a 150 kbs connection 🙈 have created the code locally, buy not able to test due to connection limitations

[azurekid]

Hi, I have created a PR #8690 for issue #8105

On line six I have added the following to define local ranges:

let LocalNetworks=dynamic(["169.254.0.0/16","127.0.0.0/8"]);

On line nine the results are filtered based on the LocalNetworks:

| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))

I also did some code alignment, fixed a typo in the description, and added 2 private ranges

All pipeline tests are completed successfully @rweirtbg @v-rbajaj

[v-rbajaj]

Hi @rweirtbg, thanks for raising the PR. We will soon review it and provide you an update.

[azurekid]

Hi @rweirtbg, thanks for raising the PR. We will soon review it and provide you an update.

LoL, I made the PR, not @rweirtbg 😉

[v-rbajaj]

Hi @rweirtbg, thanks for raising the PR. We will soon review it and provide you an update.

LoL, I made the PR, not @rweirtbg 😉

Really sorry on that, thanks for raising the PR @azurekid, we are reviewing the PR and we will soon get back to you.

[v-rbajaj]

Hi all, we are still reviewing the PR, we will get back to you once there is an update.

[v-rbajaj]

Hi all, we are still reviewing the PR, we will get back to you once there is an update.

[vakohl]

@v-rbajaj @azurekid PR is approved.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.