topic Azure Active Directory IP ranges in General Topics

Azure Active Directory IP ranges

dpurton — Wed, 12 Feb 2020 03:32:55 GMT

Hi all,

I'm trying to use Minemeld to create an EDL that includes only the IP address ranges used by Azure AD.

I've tried a few things, but can't seem to get it to work.

My current setup is as follows

Miner = cloudIPsWithServiceTags

Processor = based on stdlib_aggregatorIPv4Generic but using the following config

infilters:
-   actions:
    - accept
    conditions:
    - __method == 'withdraw'
    name: accept withdraws
-   actions:
    - accept
    conditions:
    - type == 'IPv4'
    - azure_system_service == 'AzureAD'
    name: accept IPv4
whitelist_prefixes:
- wl

Output = feedHCGreen

The current config kinda works. It returns 7 IP address ranges, instead of the 158 that are included in the JSON. I think what is happening is that it only returns the ones that are unique to the AzureActiveDirectory name space. All the others are duplicated elsewhere in the JSON. Any ideas for how to get it to output all the values that are shown under AzureActiveDirectory, not just the unique ones?

The JSON URL is https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519

The output I am currently getting is:

104.40.168.0-104.40.168.63
13.71.201.64-13.71.201.127
13.74.104.0-13.74.104.63
13.87.16.0-13.87.16.63
20.190.128.0-20.190.191.255
40.126.0.0-40.126.63.255
51.140.208.0-51.140.208.63

I've also tried to modify the miner by using the following, but neither seem to work. They return all the indicators.

extractor: values[?id=='AzureActiveDirectory'].properties[].addressPrefixes[]
or
extractor: values[?id=='AzureActiveDirectory']

Any help would be appreciated

Dan

Re: Azure Active Directory IP ranges

Farouk.Kahoul — Thu, 27 Feb 2020 16:59:07 GMT

i'm in the same situation.

i dont understand why i cannot get the IPs from the name "AzureCloud.westeurope".

my filters:

NAME	CONDITIONS	ACTIONS
accept withdraws	__method == 'withdraw'	accept
AzureActiveDirectory	share_level == 'green' type == 'IPv4' azure_name == 'AzureActiveDirectory'	accept
AzureAdvancedThreatProtection	share_level == 'green' type == 'IPv4' azure_name == 'AzureAdvancedThreatProtection'	accept
AppService	share_level == 'green' type == 'IPv4' azure_name == 'AppService'	accept
AppServiceManagement	share_level == 'green' type == 'IPv4' azure_name_list == 'AppServiceManagement'	accept
AppService.NorthEurope	share_level == 'green' type == 'IPv4' azure_name == 'AppService.NorthEurope'	accept
AzureCloud.northeurope	share_level == 'green' type == 'IPv4' azure_name == 'AzureCloud.northeurope'	accept
AppService.WestEurope	share_level == 'green' type == 'IPv4' azure_name == 'AppService.WestEurope'	accept
AzureCloud.westeurope	share_level == 'green' type == 'IPv4' azure_name == 'azurecloud.westeurope'	accept
drop all		drop

logs shows TRACE/DROP for a range:

{
"confidence": 100,
"azure_system_service_list": [
""
],
"azure_platform_list": [
"azure"
],
"azure_region": "",
"share_level": "green",
"azure_id": "AzureCloud",
"sources": [
"Azure-worldwide-miner-2"
],
"azure_name": "AzureCloud",
"azure_name_list": [
"azurecloud.westeurope",
"azurecloud"
],
"azure_id_list": [
"azurecloud.westeurope",
"azurecloud"
],
"azure_region_list": [
"",
"westeurope"
],
"azure_system_service": "",
"first_seen": 1582736638722,
"azure_platform": "Azure",
"type": "IPv4",
"last_seen": 1582736638722
}

pls advice.

Re: Azure Active Directory IP ranges

Farouk.Kahoul — Mon, 02 Mar 2020 17:16:16 GMT

think the question is: "how to build a condition to ACCEPT the entry if at least one variable is on the list"

my filter is azure_name_list == 'AzureActiveDirectory'

this one has been accepted:

azure_name_list:[azureactivedirectory]

this one has been dropped:

azure_name_list:[azureactivedirectory,azureactivedirectorydomainservices]

because this IP entry is used for both ranges "azureactivedirectory" and "azureactivedirectorydomainservices".

i tried

conditions:
- share_level == "green"
- type == "IPv4"
- contains(azure_name_list, 'AzureActiveDirectory') == true

but syntax should not be good.

is there someone able to help me on the YAML syntax to build a condition where at least the variable is present on the list?

Re: Azure Active Directory IP ranges

dpurton — Tue, 03 Mar 2020 22:41:12 GMT

So I got it working with the following setup.

- Create a new prototype based on stdlib.feedHCWithValue

- change the config with the following

infilters:
-   actions:
    - accept
    conditions:
    - __method == 'withdraw'
    name: accept withdraws
-   actions:
    - accept
    conditions:
    - contains(azure_system_service_list, 'azuread') == true
    name: accept azuread
-   actions:
    - drop
    name: drop all
store_value: true

- use the new prototype to create an output node and connect it directly to the AzureCloudIPWithRanges Miner

Re: Azure Active Directory IP ranges

Farouk.Kahoul — Wed, 04 Mar 2020 11:22:56 GMT

Merci milles Dpurton !

my experience:

- use combinations of filters as conditions: contains(xxxxxx_xxxx_list, 'lowercasename') == true

note the lowercase !

also, if you want to filter on a field that contains a "." like name or id, it seems it doesn't work, you will have to use others fields like region+service for example.

this is my prototype based on stdlib.feedHCWithValue :

infilters:
- actions:
- accept
conditions:
- __method == 'withdraw'
name: accept withdraws
- actions:
- accept
conditions:
- contains(azure_system_service_list, 'azureappservice') == true
name: accept AzureAppService
- actions:
- accept
conditions:
- contains(azure_region_list, 'northeurope') == true
- contains(azure_system_service_list, '') == true
name: accept northeurope_system_service_empty
- actions:
- accept
conditions:
- contains(azure_region_list, 'westeurope') == true
- contains(azure_system_service_list, '') == true
name: accept westeurope_system_service_empty
- actions:
- accept
conditions:
- contains(azure_system_service_list, 'azuread') == true
name: accept azuread
- actions:
- accept
conditions:
- contains(azure_system_service_list, 'azureadvancedthreatprotection') == true
name: accept AzureAdvancedThreatProtection
- actions:
- accept
conditions:
- contains(azure_system_service_list, 'azureappservicemanagement') == true
name: accept AzureAppServiceManagement
- actions:
- drop
name: drop all
store_value: true