Share via

Inound connection identified as Outbound by Microsoft Sentinel

Nimantha Deshappriya 21 Reputation points
2022-10-27T03:53:39.813+00:00

I have noticed that there are several outbound connections in the overview page.

254517-image.png

However, having analyzed the traffic, I realized that inbound traffic labeled as outbound traffic.
Note: I have removed the destination IPs as they are internal public IPs.
254544-image.png

Can you please advise me?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,225 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 7,861 Reputation points
    2025-02-11T16:28:49.1233333+00:00

    Hello Nimantha , It looks like you Microsoft Sentinel setup is mislabeling inbound traffic as outbound, impacting security monitoring. This likely stems from incorrect log configuration (source misidentification, NAT issues, asymmetric routing, schema mismatch), or Sentinel configuration errors (KQL query flaws, analytics rule logic, data connector problems). I suggests you troubleshoot by inspecting raw logs, simplifying queries, focusing on specific examples, network analysis, checking for updates and verify data connectors and ensure accurate TrafficDirection field interpretation.

    It sounds like there might be a misconfiguration or an issue with how traffic direction is being interpreted by Microsoft Sentinel. Here are a few steps you can take to troubleshoot this:

    1. Ensure that the logic used to determine traffic direction (inbound vs. outbound) is correctly implemented in your queries and rules. For example, you can check if the source IP is an internal IP and the destination IP is an external IP to determine if the traffic is outbound.

    Example query:

    SecurityEvent
| where SourceIP startswith "10." // internal IP range
| where DestinationIP !startswith "10." // external IP range
| project SourceIP, DestinationIP, Direction = "Outbound"
    1. Verify that the data sources providing the traffic logs are correctly configured and that they include accurate source and destination IP information.
    2. Modify your queries to double-check the traffic direction. For example, you can add additional filters or conditions to ensure that the traffic direction is correctly labeled.
    SecurityEvent
| extend Direction = case(
    SourceIP startswith "10." and DestinationIP !startswith "10.", "Outbound",
    DestinationIP startswith "10." and SourceIP !startswith "10.", "Inbound",
    "Unknown"
)

    References:

    Let me know if you need more help after your checks.

    If the information helped address your question, please Accept the answer. Luis

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.