Azure
Reduced Output from ThreatIntelligence (NEW) IP Analysis Rules Compared to Legacy Rules
Describe the bug The analysis rules for IP addresses in ThreatIntelligence (NEW) appear to be selecting indicators based on the following condition:
| where IndicatorType == "ipv4-addr"
However, the number of IP addresses retrieved using this condition is significantly lower compared to the previous rules that referenced the legacy table.
I believe this is because the new ThreatIntelIndicators table contains IP address indicators not only with IndicatorType == "ipv4-addr" but also with IndicatorType == "network-traffic". Therefore, I suggest the condition should be updated to:
| where IndicatorType == "ipv4-addr" or IndicatorType == "network-traffic"
to ensure all relevant IP address indicators are captured.
To Reproduce N/A
Expected behavior I expect that by using the ThreatIntelligence (NEW) rules as-is, the detection coverage for IP addresses should be comparable to that of the previous rules.
Screenshots
let NEWAnalyticsRule=ThreatIntelIndicators | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType == "ipv4-addr" | summarize count() | extend TableName = "NEWAnalyticsRule"; let PrevAnalyticsRule=ThreatIntelligenceIndicator | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) | summarize count() | extend TableName = "PrevAnalyticsRule"; let NWtrafficAnalyticsRule=ThreatIntelIndicators | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType == "ipv4-addr" or IndicatorType == "network-traffic" | summarize count() | extend TableName = "NWTrafficAnalyticsRule"; PrevAnalyticsRule | union NEWAnalyticsRule, NWtrafficAnalyticsRule
When executing this KQL, the results appear as shown in the attached screenshot. Based on this, I believe that using the condition
| where IndicatorType == "ipv4-addr"
significantly reduces the number of relevant IP addresses compared to the previous analysis rules.
Even when using the condition
| where IndicatorType == "ipv4-addr" or IndicatorType == "network-traffic"
the number of results still differs slightly from the previous rules, which is also a point of concern.
Desktop (please complete the following information):
- OS: N/A
- Browser N/A
- Version N/A
Smartphone (please complete the following information):
- Device:N/A
- OS: N/A
- Browser N/A
- Version N/A
Additional context N/A
It would also be very helpful if you could clarify how IP addresses are handled differently in the ThreatIntelIndicators table when the IndicatorType is "ipv4-addr" versus "network-traffic".
@NobufumiMurata, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
Hi @NobufumiMurata, we have shared this issue with the relevant team, and they have acknowledged it. Once a PR is raised with the necessary changes, we will link it to the issue and notify you.
Thanks!
This is resolved and reflected in the newest rules update in the Analytics rules in Threat Intelligence (NEW) folder here: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence%20(NEW)
#12386
@oliviahuegel, Thanks for the update.
@NobufumiMurata, Closing this issue. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.