Azure : troubles with the azure-public-cloudIPsWithServiceTags Miner, same prefix in multiple Azure Regions

CSavoy — Thu, 04 Feb 2021 07:00:27 GMT

Hello,

Using Miner "azure-public-cloudIPsWithServiceTags", I'm trying to get all the subnets from the Azure Region "switzerlandn".

I am using a filter I found in this forum :

-   actions:
    - accept
    conditions:
    - azure_region == 'switzerlandn'
    - share_level == 'green'
    name: accept azure IP for region switzerlandn

But it doesn't work... I have only a few prefixes

Looking at the .json file, I found the missing prefixes in 2 sections, the first is my "switzerlandn" section, the other has no label :

"name": "AzureCloud",
"id": "AzureCloud",
"properties": {
"changeNumber": 61,
"region": "",
"regionId": 0,
"platform": "Azure",
"systemService": "",
"addressPrefixes": [
"13.64.0.0/16",
"13.65.0.0/16",

...

Looking at Minemeld's logs, I see the following for a missing prefix (ouput of azure-public-cloudIPsWithServiceTags Miner) :

"_age_out": 4294967295000,
"confidence": 100,
"azure_system_service_list": [
""
],
"azure_platform_list": [
"azure"
],
"azure_region": "",
"share_level": "green",
"azure_platform": "Azure",
"_last_run": 1612367795560,
"sources": [
"azure-public-cloudIPsWithServiceTags"
],
"azure_name": "AzureCloud",
"azure_name_list": [
"azurecloud",
"azurecloud.switzerlandn"
],
"azure_id_list": [
"azurecloud",
"azurecloud.switzerlandn"
],
"azure_region_list": [
"",
"switzerlandn"
],
"azure_system_service": "",
"first_seen": 1611921383932,
"azure_id": "AzureCloud",
"type": "IPv4",
"last_seen": 1611921383932
}

Did you see the value of azure_region and the azure_region_list ? This explains why my filter (azure_region == "switzerlandn") doesn't work. The Miner puts in the "azure_region" field the last value it read from the .json file... And in my case the last value is ""...

Now my questions :

- I'm looking for a filter that will test if "switzerlandn" is contained in the azure_region_list. Any idea ?

- Or a way to modify the Miner, to avoid the "concatenation" of the prefixes that appear twice in the .json file.

Any idea ?

Thanks for your help !

Christophe

Re: Azure : troubles with the azure-public-cloudIPsWithServiceTags Miner, same prefix in multiple Azure Regions

CSavoy — Thu, 04 Feb 2021 10:00:07 GMT

I found the answer here, thank you Dpurton

https://live.paloaltonetworks.com/t5/minemeld-discussions/azure-active-directory-ip-ranges/m-p/310699#M3569

Here is my final filter :

infilters:
-   actions:
    - accept
    conditions:
    - __method == 'withdraw'
    name: accept withdraws
-   actions:
    - accept
    conditions:
    - contains(azure_region_list, 'switzerlandn') == true
    name: accept switzerlandn
-   actions:
    - drop
    name: drop all

Apply this filter into an aggregator of type "stdlib.aggregatorIPv4Generic" and you will get all the prefixes for the desired region. If you need many regions, just add many actions, like this :

- actions:
  - accept
  conditions:
  - contains(azure_region_list, 'switzerlandn') == true
  name: accept switzerlandn
- actions:
  - accept
  conditions:
  - contains(azure_region_list, 'northeurope') == true
  name: accept northeurope

topic Azure : troubles with the azure-public-cloudIPsWithServiceTags Miner, same prefix in multiple Azure Regions in General Topics

Azure : troubles with the azure-public-cloudIPsWithServiceTags Miner, same prefix in multiple Azure Regions

Re: Azure : troubles with the azure-public-cloudIPsWithServiceTags Miner, same prefix in multiple Azure Regions