Forum Discussion

mathurin68's avatar
mathurin68
Brass Contributor
Dec 18, 2021

Defender for Endpoint Github/Gitlab Connection for KQL Queries

Hello All,    We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections.     The CSV’s are used in Mi...
Jonhed's avatar
Jonhed
Iron Contributor
Dec 21, 2021

Using externaldata will (if my understanding is correct) require a URL that is publicly available, or a URL that includes authentication, such as a SAS token when using Azure blob storage.

I honestly have no experience using github, but I do not think it is possible to allow MDE as a service to access internal github resources since the connection will be done over public internet.

mathurin68's avatar
mathurin68
Brass Contributor
Dec 21, 2021
Hey Jonhed! It's an internal gitlab(our network), the end goal is just to have some lists -
1) Our public IP addresses
2) Objects in our sensitive groups etc. for checking during queries and alerts.

That we can use to enhance some of the KQL queries and signatures we use, but, I'd like to have to a way to reasonably secure them in our network. I'm not seeing an easy way to connect them. I don't want to set up an internal pastebin but that may be the only option.
  • Jonhed's avatar
    Jonhed
    Iron Contributor
    Dec 21, 2021

    Yea, I understand why you want to keep it private.

    Maybe using an azure blob storage with SAS tokens would be more secure than the pastebin, but not really sure.

    If you were using Microsoft Sentinel you could easily do this by importing those CSV files as watchlists, which could be used in queries, but MDE does not seem to have any convenient way to do this.

    • mathurin68's avatar
      mathurin68
      Brass Contributor
      Dec 22, 2021
      Oh, the Microsoft Sentinel Watchlist to MDE idea actually sounds perfect!!! I found this - https://docs.microsoft.com/en-us/azure/sentinel/watchlists

      And you can query Sentinel Watchlist from Defender for Endpoint?
      • Jonhed's avatar
        Jonhed
        Iron Contributor
        Dec 23, 2021

        Sorry, I may have been a bit vague.

        The watchlists can only be used within Microsoft Sentinel, and not from within MDE.
        You would have to import the Device logs (DeviceInfo, DeviceNetworkEvents etc etc) into Microsoft Sentinel and then run the hunting queries on the Sentinel side.

        Importing the device logs can be done very easily with the Sentinel data connector.
        https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-microsoft-365-defender

        You might be doing some pivoting between the Sentinel console and Microsoft 365 Defender console in some cases, but anything with queries will run better in Microsoft Sentinel.

Resources