How can we improve Microsoft Azure Security Center?

False Positiv in Security and Audit

Since a few week your Security and Audit Solution is showing a lot a false positives for malicious incoming and outgoing Internet traffic, like Twitter, Verisign, Microsoft (WTF??)

11 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Stefan shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Thank you for your feedback.
The Malicious IP addresses are coming to OMS from multiple 3rd party feeds,
The IP addresses are being updated on regular basis, if the issue fixed itself – let us know,
If not – Send us several examples of IP addresses , so we can investigate.
Thank you in advance,
OMS PM Team

9 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Matt commented  ·   ·  Flag as inappropriate

    When a malicious IP is flagged there should be some indication as to why or what is going on. When I check the IP against other sources there is almost never a report at any of the other security vendors. It appears that many of the flags are the result of an ad network displaying an ad on a webpage and therefore not a security incident that needs to be monitored or resolved.

  • Daniel Frei commented  ·   ·  Flag as inappropriate

    We are getting a lot of false positives from the Security and Audit solution as well. The IP 221.134.221.114 is getting flagged but it is the IP address of one of our customers.

  • Imran Kamaluddin commented  ·   ·  Flag as inappropriate

    Hello,
    We are also getting multiple Malicious IP addresses being logged by DNS Analytics. However, when reviewed by our security team, they say these results are false positives being produced by DNS Analytics.

    Can you provide reasons why the IP addresses are deemed malicious ?

  • Graham Pinkston commented  ·   ·  Flag as inappropriate

    Your Security and Audit solutions is FAR too chatty and there need's to be a way on the customer end to adjust thresholds for malicious IP's.

  • v-pradeepnair commented  ·   ·  Flag as inappropriate

    Hi Admin,
    What is the status for the below query which i have posted last week, still i am receiving multiple malicious IP threats.
    There is no update reharding my posted feedback. Please keep me posted on the below query ASAP.

  • v-pradeepnair commented  ·   ·  Flag as inappropriate

    Hi,
    Suspicious malicious IP addresses generated and below are the multiple IPs that are being flagged as malicious that are not. we are suspecting whether these are the genuine alerts and doing any suspicious activity on the network.
    23.62.6.33
    72.21.81.253
    23.62.6.170

    Could you please revert back with below queries.

    1. Do we know what network traffic is doing to/from this IP address?
    2. Do we know the specific application/website from which this traffic is being generated?
    3. Do we know the RDP user from which this is originated if it is from a RD user or the traffic is related to websites if so, do we know further details?
    4. What is the region/location of the root causing IP address.

  • Marco commented  ·   ·  Flag as inappropriate

    Below are multiple IPs that are being flagged as malicious that are not. DNS Analytics (preview) is not really useful until you can reduce the amount of false positives (currently 40%)

    72.21.81.253
    185.188.32.3
    185.188.32.1
    66.96.149.32

  • Ralf commented  ·   ·  Flag as inappropriate

    We see that Twitter is seen as a phising site.

    We get email alerts every few minutes when one of us is on the twitter site.

    Twitter IP Addresses:
    http://bgp.he.net/AS13414#_prefixes

    1/2/2017 10:00:16.000 AM | WireData
    ...Description:Address is a known phish
    ...RemoteIPCountry:United States
    ...RemoteIP:104.244.42.1
    ...IndicatorThreatType:phish
    ...TLPLevel:Amber

    1/2/2017 8:03:22.000 AM | WireData
    ...Description:Address is a known phish
    ...RemoteIPCountry:United States
    ...RemoteIP:199.16.156.75
    ...IndicatorThreatType:phish
    ...TLPLevel:Amber

    12/28/2016 4:15:54.000 PM | WireData
    ...Description:Address is a known phish
    ...RemoteIPCountry:United States
    ...RemoteIP:199.16.156.11
    ...IndicatorThreatType:phish
    ...TLPLevel:Amber

Feedback and Knowledge Base