Forum Discussion

Brass Contributor

Dec 18, 2021

Defender for Endpoint Github/Gitlab Connection for KQL Queries

Hello All, We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections. The CSV’s are used in Mi...

Jonhed

Iron Contributor

Dec 21, 2021

Yea, I understand why you want to keep it private.

Maybe using an azure blob storage with SAS tokens would be more secure than the pastebin, but not really sure.

If you were using Microsoft Sentinel you could easily do this by importing those CSV files as watchlists, which could be used in queries, but MDE does not seem to have any convenient way to do this.

mathurin68

Brass Contributor

Dec 22, 2021

Oh, the Microsoft Sentinel Watchlist to MDE idea actually sounds perfect!!! I found this - https://docs.microsoft.com/en-us/azure/sentinel/watchlists

And you can query Sentinel Watchlist from Defender for Endpoint?

Jonhed
Iron Contributor
Dec 23, 2021
Sorry, I may have been a bit vague.

The watchlists can only be used within Microsoft Sentinel, and not from within MDE.
You would have to import the Device logs (DeviceInfo, DeviceNetworkEvents etc etc) into Microsoft Sentinel and then run the hunting queries on the Sentinel side.

Importing the device logs can be done very easily with the Sentinel data connector.
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-microsoft-365-defender

You might be doing some pivoting between the Sentinel console and Microsoft 365 Defender console in some cases, but anything with queries will run better in Microsoft Sentinel.