How can we improve Microsoft Azure Security Center?

False Positiv in Security and Audit

Since a few week your Security and Audit Solution is showing a lot a false positives for malicious incoming and outgoing Internet traffic, like Twitter, Verisign, Microsoft (WTF??)

11 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Stefan shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback.
    The Malicious IP addresses are coming to OMS from multiple 3rd party feeds,
    The IP addresses are being updated on regular basis, if the issue fixed itself – let us know,
    If not – Send us several examples of IP addresses , so we can investigate.
    Thank you in advance,
    OMS PM Team

    9 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Matt commented  ·   ·  Flag as inappropriate

        When a malicious IP is flagged there should be some indication as to why or what is going on. When I check the IP against other sources there is almost never a report at any of the other security vendors. It appears that many of the flags are the result of an ad network displaying an ad on a webpage and therefore not a security incident that needs to be monitored or resolved.

      • Daniel Frei commented  ·   ·  Flag as inappropriate

        We are getting a lot of false positives from the Security and Audit solution as well. The IP 221.134.221.114 is getting flagged but it is the IP address of one of our customers.

      • Imran Kamaluddin commented  ·   ·  Flag as inappropriate

        Hello,
        We are also getting multiple Malicious IP addresses being logged by DNS Analytics. However, when reviewed by our security team, they say these results are false positives being produced by DNS Analytics.

        Can you provide reasons why the IP addresses are deemed malicious ?

      • Graham Pinkston commented  ·   ·  Flag as inappropriate

        Your Security and Audit solutions is FAR too chatty and there need's to be a way on the customer end to adjust thresholds for malicious IP's.

      • v-pradeepnair commented  ·   ·  Flag as inappropriate

        Hi Admin,
        What is the status for the below query which i have posted last week, still i am receiving multiple malicious IP threats.
        There is no update reharding my posted feedback. Please keep me posted on the below query ASAP.

      • v-pradeepnair commented  ·   ·  Flag as inappropriate

        Hi,
        Suspicious malicious IP addresses generated and below are the multiple IPs that are being flagged as malicious that are not. we are suspecting whether these are the genuine alerts and doing any suspicious activity on the network.
        23.62.6.33
        72.21.81.253
        23.62.6.170

        Could you please revert back with below queries.

        1. Do we know what network traffic is doing to/from this IP address?
        2. Do we know the specific application/website from which this traffic is being generated?
        3. Do we know the RDP user from which this is originated if it is from a RD user or the traffic is related to websites if so, do we know further details?
        4. What is the region/location of the root causing IP address.

      • Marco commented  ·   ·  Flag as inappropriate

        Below are multiple IPs that are being flagged as malicious that are not. DNS Analytics (preview) is not really useful until you can reduce the amount of false positives (currently 40%)

        72.21.81.253
        185.188.32.3
        185.188.32.1
        66.96.149.32

      • Ralf commented  ·   ·  Flag as inappropriate

        We see that Twitter is seen as a phising site.

        We get email alerts every few minutes when one of us is on the twitter site.

        Twitter IP Addresses:
        http://bgp.he.net/AS13414#_prefixes

        1/2/2017 10:00:16.000 AM | WireData
        ...Description:Address is a known phish
        ...RemoteIPCountry:United States
        ...RemoteIP:104.244.42.1
        ...IndicatorThreatType:phish
        ...TLPLevel:Amber

        1/2/2017 8:03:22.000 AM | WireData
        ...Description:Address is a known phish
        ...RemoteIPCountry:United States
        ...RemoteIP:199.16.156.75
        ...IndicatorThreatType:phish
        ...TLPLevel:Amber

        12/28/2016 4:15:54.000 PM | WireData
        ...Description:Address is a known phish
        ...RemoteIPCountry:United States
        ...RemoteIP:199.16.156.11
        ...IndicatorThreatType:phish
        ...TLPLevel:Amber

      Feedback and Knowledge Base