Can we query the NIST RDS from Azure Sentinel?

%3CLINGO-SUB%20id%3D%22lingo-sub-2806991%22%20slang%3D%22en-US%22%3ECan%20we%20query%20the%20NIST%20RDS%20from%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2806991%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20reference%20to%20this%20SANS%20Blog%20%22Easy%20Access%20to%20the%20NIST%20RDS%20Database%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fisc.sans.edu%2Fdiary%2Frss%2F27544%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fisc.sans.edu%2Fdiary%2Frss%2F27544%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20fashion%20that%20first%20lookup%20into%20an%20Azure%20Sentinel%20query%3F%26nbsp%3B%20I'd%20love%20to%20be%20able%20to%20leverage%20NIST's%20list%20of%20known%20good%20applications%20during%20investigations%20(perhaps%20as%20enrichment%20in%20a%20workbook)%2C%20and%20my%20first%20thought%20of%20%22download%20the%20entire%20RDS%20into%20Azure%20blobs%22%20just%20doesn't%20seem%20as%20practical%20as%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2810834%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20query%20the%20NIST%20RDS%20from%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2810834%22%20slang%3D%22en-US%22%3EYou%20could%20run%20the%20list%20of%20hashes%20into%20a%20custom%20table%20using%20the%20Log%20Analytics%20ingestion%20API%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Floganalytics%2Fcreate-request%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Floganalytics%2Fcreate-request%3C%2FA%3E)%20or%20even%20via%20a%20Logic%20App%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fazureloganalyticsdatacollector%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fazureloganalyticsdatacollector%2F%3C%2FA%3E)%2C%20if%20that%20data%20changes%20pretty%20often%20I%20am%20not%20sure%20how%20practical%20that%20will%20be%20and%20you%20will%20also%20pay%20for%20the%20ingestion%20costs%20each%20time%20you%20ingest%20it.%20If%20you%20do%20decide%20to%20go%20that%20route%20once%20the%20data%20is%20ingested%20it%20will%20be%20the%20quickest%20for%20querying%20for%20sure.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20query%20external%20data%20in%20KQL%20without%20ingesting%20it%2C%20e.g%20if%20you%20had%20a%20csv%20file%20sitting%20in%20Azure%20blob%20storage%20you%20can%20query%20it%20directly%2C%20see%20an%20example%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-external-data-sources-to-enrich-network-logs-using-azure%2Fba-p%2F1450345%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-external-data-sources-to-enrich-network-logs-using-azure%2Fba-p%2F1450345%3C%2FA%3E.%20Not%20sure%20how%20practical%20that%20is%20going%20to%20be%20across%20multiple%20and%20large%20files%20though%2C%20worth%20a%20shot%20to%20see%20how%20it%20performs%20though.%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20thought%20about%20using%20threat%20intelligence%20to%20hunt%20for%20bad%20hashes%20%2F%20domains%20%2F%20IP%20addresses%20etc%20instead%20of%20retaining%20a%20list%20of%20all%20known%20good%20ones%3F%20Another%20option%20for%20you%20perhaps%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Funderstand-threat-intelligence%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Funderstand-threat-intelligence%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

In reference to this SANS Blog "Easy Access to the NIST RDS Database"

 

https://isc.sans.edu/diary/rss/27544

 

How can I fashion that first lookup into an Azure Sentinel query?  I'd love to be able to leverage NIST's list of known good applications during investigations (perhaps as enrichment in a workbook), and my first thought of "download the entire RDS into Azure blobs" just doesn't seem as practical as this.

2 Replies
You could run the list of hashes into a custom table using the Log Analytics ingestion API (https://docs.microsoft.com/en-us/rest/api/loganalytics/create-request) or even via a Logic App (https://docs.microsoft.com/en-us/connectors/azureloganalyticsdatacollector/), if that data changes pretty often I am not sure how practical that will be and you will also pay for the ingestion costs each time you ingest it. If you do decide to go that route once the data is ingested it will be the quickest for querying for sure.

You can query external data in KQL without ingesting it, e.g if you had a csv file sitting in Azure blob storage you can query it directly, see an example here - https://techcommunity.microsoft.com/t5/azure-sentinel/using-external-data-sources-to-enrich-network-.... Not sure how practical that is going to be across multiple and large files though, worth a shot to see how it performs though.

Have you thought about using threat intelligence to hunt for bad hashes / domains / IP addresses etc instead of retaining a list of all known good ones? Another option for you perhaps - https://docs.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
Thanks - My hope is that Microsoft would incorporate this into the platform somehow so that I don't have to consume Azure space, but I may give it a go (and thanks for the query .csv reference).

I / we spend a lot of time on detecting evil and I wanted to look at a means to "confirm good".