Lab 10 - Azure using CrowdStrike to lookup malicious IP addresses
You discovered that Sumo Logic has the ability to access Crowd Strike information from within your queries. This can provide valuable insight into malicious actors trying to access your corporate network.
Use the CrowdStrike lookup functionality.
-
Create a new log search query, looking at log data for the last 24 hours and select the Azure Active Directory (AD) as your source category. Your query will look like this:
_sourceCategory="Labs/Azure/AD"
- Parse the following fields identity and callerIpAddress as user and IP from the json. You will want to filter the ip so there are no nulls. Your query should look like this:
_sourceCategory=Labs/Azure/AD
| json "identity","callerIpAddress" as user, ip nodrop
| where ip != "<null>" -
You are now ready to use the lookup command for CrowdStrike. You will need to pass in the ip address to your lookup Your code should look like this:
_sourceCategory=Labs/Azure/AD
| json "identity","callerIpAddress" as user, ip nodrop
| where ip != "<null>"
| lookup type, actor, raw, threatlevel from sumo://threat/cs on threat=ip -
Now you want to filter where threatlevel="high" to focus on major threats and you want to count by user, ip and actor Your code will look like this:
_sourceCategory=Labs/Azure/AD
| json "identity","callerIpAddress" as user, ip nodrop
| where ip != "<null>"
| lookup type, actor, raw, threatlevel from sumo://threat/cs on threat=ip
| where threatlevel="high"
| count by user, ip, actor
Your results will look like this.
You now have a query that provides you user id, their IP address and actor based on count. You can then investigate this further using what you have learned in previous exercises.