Forum Discussion
Solved
TI map in several tables
Hello Tech Community, We are trying to map TI indicators in several tables in Sentinel. It is clear how to take 1 type of indicator (IP, for example) and look for it in 1 table (firewalls, for...
- Is this for a Rule or just a query - Rules need to be performant and the "excessive resource warning" is worth taking into consideration. You can improve this by identifying each Column in each table to aid the query (but that's a lot of work and hard to maintain). Its a reason Microsoft Rules are per Table generally
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules
Ad-hoc queries are less of an issue.
Is this for a Rule or just a query - Rules need to be performant and the "excessive resource warning" is worth taking into consideration. You can improve this by identifying each Column in each table to aid the query (but that's a lot of work and hard to maintain). Its a reason Microsoft Rules are per Table generally
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules
Ad-hoc queries are less of an issue.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules
Ad-hoc queries are less of an issue.