Forum Discussion
Kyrouz
Oct 03, 2021Copper Contributor
Can we query the NIST RDS from Azure Sentinel?
In reference to this SANS Blog "Easy Access to the NIST RDS Database" https://isc.sans.edu/diary/rss/27544 How can I fashion that first lookup into an Azure Sentinel query? I'd love to be ab...
m_zorich
Oct 04, 2021Iron Contributor
You could run the list of hashes into a custom table using the Log Analytics ingestion API (https://docs.microsoft.com/en-us/rest/api/loganalytics/create-request) or even via a Logic App (https://docs.microsoft.com/en-us/connectors/azureloganalyticsdatacollector/), if that data changes pretty often I am not sure how practical that will be and you will also pay for the ingestion costs each time you ingest it. If you do decide to go that route once the data is ingested it will be the quickest for querying for sure.
You can query external data in KQL without ingesting it, e.g if you had a csv file sitting in Azure blob storage you can query it directly, see an example here - https://techcommunity.microsoft.com/t5/azure-sentinel/using-external-data-sources-to-enrich-network-logs-using-azure/ba-p/1450345. Not sure how practical that is going to be across multiple and large files though, worth a shot to see how it performs though.
Have you thought about using threat intelligence to hunt for bad hashes / domains / IP addresses etc instead of retaining a list of all known good ones? Another option for you perhaps - https://docs.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
You can query external data in KQL without ingesting it, e.g if you had a csv file sitting in Azure blob storage you can query it directly, see an example here - https://techcommunity.microsoft.com/t5/azure-sentinel/using-external-data-sources-to-enrich-network-logs-using-azure/ba-p/1450345. Not sure how practical that is going to be across multiple and large files though, worth a shot to see how it performs though.
Have you thought about using threat intelligence to hunt for bad hashes / domains / IP addresses etc instead of retaining a list of all known good ones? Another option for you perhaps - https://docs.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
- KyrouzOct 05, 2021Copper ContributorThanks - My hope is that Microsoft would incorporate this into the platform somehow so that I don't have to consume Azure space, but I may give it a go (and thanks for the query .csv reference).
I / we spend a lot of time on detecting evil and I wanted to look at a means to "confirm good".