cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Using Lookups in analytics rules

Nexxic
Copper Contributor

‎Sep 01 2020 02:23 AM

‎Sep 01 2020 02:23 AM

Using Lookups in analytics rules

Hi,

I'm implementing Azure Sentinel for a customer and I'm looking into how we can configure rules to either whitelist or trigger specifically on items from a lookup table. From what I've understood, this is most easily done via .csv's or files stored in azure blob. Is this the recommended way of implementing lookups in Analytics rules? To use these tables, I need to get the Shared Access Signature to reference to it using ExternalLookup, but this shared access signature is time limited, and I guess anyone with the link would be able to access the table. 

 

1. Is using tables in Blobs the recommended way of implementing lookups for analytics rules?

2. Is there a more secure way of making sure that only Sentinel can access the blob tables without creating a link which may be accessed by a third party?

1,127 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Nexxic (Copper Contributor)
Gary Bushey

‎Sep 01 2020 04:35 AM

‎Sep 01 2020 04:35 AM

Solution

Re: Using Lookups in analytics rules

@Nexxic 

1) Yes, for now.

2) The SAS key is very secure.  If you lock down Azure Sentinel so that only those people who need to get in can get in then you should be fine.   I generally put my files for Azure Sentinel in their own container so even if someone gets the key the worse case is they see only those files.   You can even go further and create a new container per file to make it even more secure.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Nexxic (Copper Contributor)
Gary Bushey

‎Sep 01 2020 04:35 AM

‎Sep 01 2020 04:35 AM

Solution

Re: Using Lookups in analytics rules

@Nexxic 

1) Yes, for now.

2) The SAS key is very secure.  If you lock down Azure Sentinel so that only those people who need to get in can get in then you should be fine.   I generally put my files for Azure Sentinel in their own container so even if someone gets the key the worse case is they see only those files.   You can even go further and create a new container per file to make it even more secure.

View solution in original post

0 Likes
Reply