Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Microsoft Azure Datacenter IP Ranges

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Microsoft Azure Datacenter IP Ranges

L1 Bithead

Hi Luigi,

 

One of my customers needs to allow traffic to Microsoft Azure Datacenter IP Ranges for Microsoft Power Bi. Any plans to add a miner for it?

The URL source is http://www.microsoft.com/EN-US/DOWNLOAD/confirmation.aspx?id=41653

The file is in XML format

I tried to create a new prototype but I couldn't find an XML class. Are you planning to add it?

 

Thanks,

14 REPLIES 14

L7 Applicator

Hi Mauricio,

there is no Miner for Azure IP Ranges yet, but it will be easy to add. It will be added for the next minor release, sometime next week.

I have created minemeld-core enhancement #14 to track this.

 

I have also created enhancement #15 and #16 to track development of Miner for GCE and Google IP ranges.

Hi,

did you solve your issue? i also need to import azure ip range to palo.

thank you in advance

Yes, Miners for GCE, Google IPs and Azure are now available in MineMeld.

@lmori

 

I can see the prototype for the azure ranges on the Github page. But how do I go about adding it into my minemeld config? Total rookie here.

 

Cheers

Hi @El-ahrairah,

just go to CONFIG, press IMPORT and copy & paste the following. Click on APPEND and then COMMIT. After the COMMIT you will find a new output node under NODES called azureIPv4s with the list of IPs used by Azure.

 

 

nodes:
  azure_cloudIPs:
    inputs: []
    output: true
    prototype: azure.cloudIPs
  cloud_IPv4s:
    inputs:
      - azure_cloudIPs
    output: true
    prototype: stdlib.aggregatorIPv4Generic
  azureIPv4s:
    inputs:
      - cloud_IPv4s
    output: false
    prototype: stdlib.feedHCWithValue

 

L1 Bithead

@lmori

 

Right now, there's only one miner for all Azure Datacenter IPs -- there's an opportunity to split by region (e.g. USWest, USEast, etc) so that Minemeld users can more granularly select what IPs they want.

 

Is there any thought to expanding out the miner definitions so that there's one per region?

 

Thanks!

 

 

@michaelseto : The azure miner attachs the azure_region attribute to the indicators. You can see it in the miner logs.

{
    "_age_out": 4294967295000,
    "confidence": 100,
    "azure_region": "uksouth",
    "share_level": "green",
    "_last_run": 1507016882946,
    "sources": [
        "azure.xml"
    ],
    "first_seen": 1507016882946,
    "type": "IPv4",
    "last_seen": 1507016882946
}

That means that you can use the output node input filter capabilities to accept/drop indicators based on that indicator's attribute value. For instance, the following 'infilters' configuration would only accept indicators for the region 'uksouth'

 

infilters:
-   actions:
    - accept
    conditions:
    - __method == 'withdraw'
    name: accept withdraws
-   actions:
    - accept
    conditions:
    - azure_region == 'uksouth'
    - share_level == 'green'
    name: accept azure IP for region uksouth
-   actions:
    - drop
    name: drop all

Ah thank you @xhoms.

 

Your solution is more elegant than my own.

 

I ended up modifying some of the python (/opt/minemeld/engine/core/minemeld/ft/azure.py) and creating new miner prototypes per region.

 

At least I learned something? haha.

 

-Mike

Hi @michaelseto,

nice ! could you send us a pull request on the github repo ?

 

luigi

Can anybody suggest where I can learn about how to apply/modify the mentioned  "output node input filter capabilities"?     I guess my question is -- where would I put input filter code such as is shown here?  

 

Thanks,

It would like something like this

 

nodes:
  azure_cloudIPs:
    inputs: []
    output: true
    prototype: azure.cloudIPs
  cloud_IPv4s:
    inputs:
      - azure_cloudIPs
    output: true
    prototype: stdlib.aggregatorIPv4Generic
  azure_IPv4s:
    inputs:
      - cloud_IPv4s
    output: false
    prototype: stdlib.feedHCWithValue
  azure_uksouth_IPv4s:
    inputs:
      - cloud_IPv4s
    output: false
    prototype: stdlib.feedHCWithValue
    config:
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - azure_region == 'uksouth' - share_level == 'green' name: accept azure IP for region uksouth - actions: - drop name: drop all

 

Hi All

 

I've got a follow on to this discussion.  I've tried the Azure IP miner and it works nicely, but it doesn't give the level of granularity that I need.  It lists prefixes by azure region, but not by Azure service.

 

I need to end with a list of IP addresses by PaaS service, specifically storage & sql in my case.  There is a differnet url that holds all the prefixes in json format here - https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519

 

Does anyone have a miner prototype that can do this?

 

Thanks

Thanks for the suggestion, I opened a FR to track this: https://github.com/PaloAltoNetworks/minemeld-core/issues/311

Hello,

did you see the link used will be deprecated by June 30, 2020

 

IP Ranges for each cloud, broken down by region and by the tagged services in that cloud are now available on MS Download: Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
China: http://www.microsoft.com/en-us/download/details.aspx?id=57062

These JSON files are updated weekly and include versioning both for the full file and each individual service tag in that file. The “AzureCloud” tag provides the IP ranges for that entire cloud (Public, USGov, Germany, China) and is also broken out by region within that cloud. Finally, the list of service tags in the file will be increasing as we’re constantly onboarding new azure teams to service tags.

  • 22392 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!