Forum Discussion
Tips on how to process firewall URL/DNS alerts
Greetings I've been tossing this around ever since I've started using Sentinel, or Defender XDR rather, a few years ago. How to process events from our firewalls. Specifically all the URL and DNS bl...
AndrewBlumhardt
Microsoft
MicrosoftYou could consider just using these logs for investigations and reporting. MDE monitors network activity for each device and MDCA adds web application activity. Both have good out of the box alert rules. Your solution could be duplicate.
Make sure your alert run can tie this back to device or user entities. This may require a more complex query with a join. If your Sentinel rules do not have entity mapping, XDR cannot perform proper correlation.
I would revise this to be a daily summarization of key entity and URL. I would do something like summarize arg_max(TimeGenerated, *) by DeviceId, URL
Then have a daily alert for the entity that has an event for each entity. This can be performed using event grouping.
You issue is likely a combination of too frequent reporting and entity mapping.
After alot of thought and some experimenting with different KQLs I have gone down the path suggested by "ITProfessor", an analytics KQL that does a tough filtering based on occurrence and threat intelligence precense and creates an incident after that.
Anything else is handled by a workbook.