Forum Discussion
Solved
TI map in several tables
Hello Tech Community,
We are trying to map TI indicators in several tables in Sentinel.
It is clear how to take 1 type of indicator (IP, for example) and look for it in 1 table (firewalls, for example).
But what if we want to build only 1 KQL for it and we want to look for this indicator in firewalls, switches, mail relay, etc.
We've tried to play with union/joins, but without success. The only message we received was about exessive amount of resources required to perform the query 😄
Has anyone here built something like this? What are the pros and cons of such a query?
- Is this for a Rule or just a query - Rules need to be performant and the "excessive resource warning" is worth taking into consideration. You can improve this by identifying each Column in each table to aid the query (but that's a lot of work and hard to maintain). Its a reason Microsoft Rules are per Table generally
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules
Ad-hoc queries are less of an issue.
1 Reply
- Is this for a Rule or just a query - Rules need to be performant and the "excessive resource warning" is worth taking into consideration. You can improve this by identifying each Column in each table to aid the query (but that's a lot of work and hard to maintain). Its a reason Microsoft Rules are per Table generally
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules
Ad-hoc queries are less of an issue.