External enrichment data

mikehanson · ‎Mar 04 2020

Is there a plan to include the ability to easily bring external enrichment data into Sentinel queries? Things like AAD/AD user attributes, asset inventory information, GeoIP information, etc? Understanding there is the externaldata operator but there are limitations for that and the secret for access is stored in clear text in the rule. The data could also be ingested into a custom log table but since it is not time series data and limited ability to delete records, there would need to be frequent ingestion of all data which would drive us cost since data retention is set at the workspace level.

Gary Bushey · ‎Mar 04 2020

@mikehanson You can do all of that using Azure Notebooks which uses languages like Python to gather information both external and internal to Azure Sentinel.

BTW, you can set retention at a table level now: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage#change-the-data-re...

mikehanson · ‎Mar 04 2020

Thanks @Gary Bushey, figured it could be done via the notebooks but was also looking for the ability to surface incidents based on this data too.

Wasn't able to find this retention at the table level, will need to look into that further.

pemontto · ‎Mar 10 2020

@mikehanson we're looking into the same issue. To be able to lookup the groups a user belongs to would be infinitely valuable. It would be ideal if we could have an operator to query AD, or be able to query directly via the externaldata operator.

For the moment we're looking to schedule exports of AD either to blob store, or using a logic app to a log analytics table. Will hopefully be able to write-up that process once complete.

External enrichment data

External enrichment data

Re: External enrichment data

Re: External enrichment data

Re: External enrichment data

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

External enrichment data