Potential `api.monitor.azure.com` False Positive #427

0xThiebaut · 2024-01-19T11:17:59Z

Microsoft Sentinel relies on api.loganalytics.io, which is the documented API endpoint for Azure's Log Analytics. An example of issued request is the following one:

POST https://api.loganalytics.io/v1/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.OperationalInsights/workspaces/REDACTED/metadata?select=categories,solutions,tables,workspaces

The api.loganalytics.io domain is however indirectly blocked as it is a CNAME for api.monitor.azure.com which is on the block-list.

> api.loganalytics.io
Server:  REDACTED
Address:  REDACTED

Name:    api.loganalytics.io
Addresses:  ::
          0.0.0.0

> set type=CNAME
> api.loganalytics.io
Server:  REDACTED
Address:  REDACTED

api.loganalytics.io     canonical name = api.monitor.azure.com

This causes Azure to break.

While I have added an exception for it, it might be worth considering whether the api.monitor.azure.com block is intentional.

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential `api.monitor.azure.com` False Positive #427

Potential `api.monitor.azure.com` False Positive #427

0xThiebaut commented Jan 19, 2024

Potential api.monitor.azure.com False Positive #427

Potential api.monitor.azure.com False Positive #427

Comments

0xThiebaut commented Jan 19, 2024

Potential `api.monitor.azure.com` False Positive #427

Potential `api.monitor.azure.com` False Positive #427