Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Central whitelist on Azure Sentinel

Copper Contributor

Hi Experts

 

Is it possible to make central white-list for (for user/IP) on Azure Sentinel ? I heard that this feature will be available soon, but is not it available as a preview now?  

4 Replies

@Jafar1970 

 

If by white list you mean a table of info, there are a few options today. 

 

1. External data (CSV files etc...), please see https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-h...

2. Three examples 

//
// create dummmy data, rather than use a print command
//
let sampleData = datatable(Recommendation:string, Counter:int)
[
    "My text", 1,
    "Some text",2,
    "Some other text",3
];
sampleData
| where Recommendation == "Change the max degree of parallelism (MAXDOP) configuration option in Microsoft SQL Server." 

 

Go to Log Analytics and Run Query

 

//
// create dummmy data, and join to a real Table 
//
let sampleData = datatable(Computer:string, Recommendation:string, Counter:int)
[
    "OnPremise-12S", "My text", 1,
    "ContosoSQLSrv1","Some text",2,
    "fake","Some other text",3
];
Event
| project Computer 
| join sampleData on Computer

 

or, shows countries that are NOT "GB" or "US" - just remove the "!" if you wanted the opposite

let whiteList = dynamic (['GB', 'US']);  // setup a whitelist of country codes
SigninLogs
| where TimeGenerated >= ago(1d)
| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) 
| where isnotempty(countryOrRegion_)
| where countryOrRegion_ !in (whiteList)
clipboard_image_0.png

@Jafar1970 : you can find a detailed writeup on how to implement white listing, watch lists and enrichment in this blog post: Implementing Lookups in Azure Sentinel

 

~ Ofer

@Ofer_Shezaf 
can you please post the link I cant find it in your replay 
thanks 

@Mohamadislam : seems like a platform hickup. I hope the link is now visible.