Managing lists

how can i manage a list on Sentinel for instance- i have a list of known assets that hold hundreds+ assets and when the search runs i would like to search and check if there is a hit in the list ob...

KQL

CliveWatson
Oct 13, 2019
Hi omrip

I struggling to understand what you are asking here, so sorry to ask again?

Are you trying to read from a file, if so see https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/ If you are trying to create a file from Log Analytics, you can't do that, only read from a file is possible using externaldata operator as per my example. You can build lists on the fly / at run time with a data table as shown.

If it's a file you need to upload, perhaps on a schedule, you might need to use Logic Apps to control that workflow/process. Then read from it with extrernaldata and parse the JSON (if it's JSON )

CliveWatson

Former Employee

Feb 03, 2020

MiteshAgrawal

There are more guidance articles https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306 and more to follow. Also have you considered a custom log?

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

or reading data from a file using a Logic App?

MiteshAgrawal

Brass Contributor

Feb 03, 2020

Hi Clive,

Thanks for the links. The first one is related to BLOB storage which we aren't using as of now.

I found 2nd one interesting and will definitely try creating a Custom log source to read files.

Regards,
Mitesh Agrawal

Forum Discussion

Managing lists

Resources