Forum Discussion
Central whitelist on Azure Sentinel
Hi Experts
Is it possible to make central white-list for (for user/IP) on Azure Sentinel ? I heard that this feature will be available soon, but is not it available as a preview now?
4 Replies
- Ofer_Shezaf
Microsoft
Jafar1970 : you can find a detailed writeup on how to implement white listing, watch lists and enrichment in this blog post: Implementing Lookups in Azure Sentinel
~ Ofer
Ofer_Shezaf
can you please post the link I cant find it in your replay
thanks- Ofer_Shezaf
Mohamadislam : seems like a platform hickup. I hope the link is now visible.
If by white list you mean a table of info, there are a few options today.
1. External data (CSV files etc...), please see https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/
2. Three examples
// // create dummmy data, rather than use a print command // let sampleData = datatable(Recommendation:string, Counter:int) [ "My text", 1, "Some text",2, "Some other text",3 ]; sampleData | where Recommendation == "Change the max degree of parallelism (MAXDOP) configuration option in Microsoft SQL Server."https://ms.portal.azure.com#@72f988bf-86f1-41af-91ab-2d7cd011db47/blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade/resourceId/%2FDemo/source/LogsBlade.AnalyticsShareLinkToQuery/q/H4sIAAAAAAAAA03PTUvEQAwG4PvA%252FIeXOSlUSteb4ql6U%252FyoN%252FEwtlmdtZOUabq44I93urSLOYW8TyApS2vKEm0ir4RuijEe0Hn1BTx32ElgqMAjgx6v%252FqMnzBvW9KQYfRx6us0cN8ctncFZLXGYlNLVqCnwZ4EXaiVG4kyC8Glcy8QzC6zn1rxZg1zukZ8SxTDSRbVpXAH3cIDSj%252Ba2KhZTC6uM0jzfN2lfucI1EmlRmxVt%252FTetkegXpQVcWvN%252Bbc3dnlit%252BcWQZEetYj0b8%252FD4%252Bb%252F%252FhE%252B5NX8DPnWpNgEAAA%253D%253D/timespan/P1D
// // create dummmy data, and join to a real Table // let sampleData = datatable(Computer:string, Recommendation:string, Counter:int) [ "OnPremise-12S", "My text", 1, "ContosoSQLSrv1","Some text",2, "fake","Some other text",3 ]; Event | project Computer | join sampleData on Computeror, shows countries that are NOT "GB" or "US" - just remove the "!" if you wanted the opposite
let whiteList = dynamic (['GB', 'US']); // setup a whitelist of country codes SigninLogs | where TimeGenerated >= ago(1d) | extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) | where isnotempty(countryOrRegion_) | where countryOrRegion_ !in (whiteList)
