Forum Discussion
Defender for Endpoint Github/Gitlab Connection for KQL Queries
Hello All, We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections. The CSV’s are used in Mi...
Using externaldata will (if my understanding is correct) require a URL that is publicly available, or a URL that includes authentication, such as a SAS token when using Azure blob storage.
I honestly have no experience using github, but I do not think it is possible to allow MDE as a service to access internal github resources since the connection will be done over public internet.
- Hey Jonhed! It's an internal gitlab(our network), the end goal is just to have some lists -
1) Our public IP addresses
2) Objects in our sensitive groups etc. for checking during queries and alerts.
That we can use to enhance some of the KQL queries and signatures we use, but, I'd like to have to a way to reasonably secure them in our network. I'm not seeing an easy way to connect them. I don't want to set up an internal pastebin but that may be the only option.Yea, I understand why you want to keep it private.
Maybe using an azure blob storage with SAS tokens would be more secure than the pastebin, but not really sure.
If you were using Microsoft Sentinel you could easily do this by importing those CSV files as watchlists, which could be used in queries, but MDE does not seem to have any convenient way to do this.- Oh, the Microsoft Sentinel Watchlist to MDE idea actually sounds perfect!!! I found this - https://docs.microsoft.com/en-us/azure/sentinel/watchlists
And you can query Sentinel Watchlist from Defender for Endpoint?
