Forum Discussion
Central whitelist on Azure Sentinel
Hi Experts
Is it possible to make central white-list for (for user/IP) on Azure Sentinel ? I heard that this feature will be available soon, but is not it available as a preview now?
- Ofer_Shezaf
Microsoft
Jafar1970 : you can find a detailed writeup on how to implement white listing, watch lists and enrichment in this blog post: Implementing Lookups in Azure Sentinel
~ Ofer
Ofer_Shezaf
can you please post the link I cant find it in your replay
thanks- Ofer_Shezaf
Mohamadislam : seems like a platform hickup. I hope the link is now visible.
- CliveWatson
If by white list you mean a table of info, there are a few options today.
1. External data (CSV files etc...), please see https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/
2. Three examples
// // create dummmy data, rather than use a print command // let sampleData = datatable(Recommendation:string, Counter:int) [ "My text", 1, "Some text",2, "Some other text",3 ]; sampleData | where Recommendation == "Change the max degree of parallelism (MAXDOP) configuration option in Microsoft SQL Server."Go to Log Analytics and Run Query
// // create dummmy data, and join to a real Table // let sampleData = datatable(Computer:string, Recommendation:string, Counter:int) [ "OnPremise-12S", "My text", 1, "ContosoSQLSrv1","Some text",2, "fake","Some other text",3 ]; Event | project Computer | join sampleData on Computeror, shows countries that are NOT "GB" or "US" - just remove the "!" if you wanted the opposite
let whiteList = dynamic (['GB', 'US']); // setup a whitelist of country codes SigninLogs | where TimeGenerated >= ago(1d) | extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) | where isnotempty(countryOrRegion_) | where countryOrRegion_ !in (whiteList)
