SOLVED

Using Lookups in analytics rules

%3CLINGO-SUB%20id%3D%22lingo-sub-1624737%22%20slang%3D%22en-US%22%3EUsing%20Lookups%20in%20analytics%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624737%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20implementing%20Azure%20Sentinel%20for%20a%20customer%20and%20I'm%20looking%20into%20how%20we%20can%20configure%20rules%20to%20either%20whitelist%20or%20trigger%20specifically%20on%20items%20from%20a%20lookup%20table.%20From%20what%20I've%20understood%2C%20this%20is%20most%20easily%20done%20via%20.csv's%20or%20files%20stored%20in%20azure%20blob.%20Is%20this%20the%20recommended%20way%20of%20implementing%20lookups%20in%20Analytics%20rules%3F%20To%20use%20these%20tables%2C%20I%20need%20to%20get%20the%26nbsp%3B%3CSPAN%3EShared%20Access%20Signature%20to%20reference%20to%20it%20using%20ExternalLookup%2C%20but%20this%20shared%20access%20signature%20is%20time%20limited%2C%20and%20I%20guess%20anyone%20with%20the%20link%20would%20be%20able%20to%20access%20the%20table.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20Is%20using%20tables%20in%20Blobs%20the%20recommended%20way%20of%20implementing%20lookups%20for%20analytics%20rules%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20Is%20there%20a%20more%20secure%20way%20of%20making%20sure%20that%20only%20Sentinel%20can%20access%20the%20blob%20tables%20without%20creating%20a%20link%20which%20may%20be%20accessed%20by%20a%20third%20party%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1624982%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Lookups%20in%20analytics%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F416232%22%20target%3D%22_blank%22%3E%40Nexxic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Yes%2C%20for%20now.%3C%2FP%3E%3CP%3E2)%20The%20SAS%20key%20is%20very%20secure.%26nbsp%3B%20If%20you%20lock%20down%20Azure%20Sentinel%20so%20that%20only%20those%20people%20who%20need%20to%20get%20in%20can%20get%20in%20then%20you%20should%20be%20fine.%26nbsp%3B%20%26nbsp%3BI%20generally%20put%20my%20files%20for%20Azure%20Sentinel%20in%20their%20own%20container%20so%20even%20if%20someone%20gets%20the%20key%20the%20worse%20case%20is%20they%20see%20only%20those%20files.%26nbsp%3B%20%26nbsp%3BYou%20can%20even%20go%20further%20and%20create%20a%20new%20container%20per%20file%20to%20make%20it%20even%20more%20secure.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

I'm implementing Azure Sentinel for a customer and I'm looking into how we can configure rules to either whitelist or trigger specifically on items from a lookup table. From what I've understood, this is most easily done via .csv's or files stored in azure blob. Is this the recommended way of implementing lookups in Analytics rules? To use these tables, I need to get the Shared Access Signature to reference to it using ExternalLookup, but this shared access signature is time limited, and I guess anyone with the link would be able to access the table. 

 

1. Is using tables in Blobs the recommended way of implementing lookups for analytics rules?

2. Is there a more secure way of making sure that only Sentinel can access the blob tables without creating a link which may be accessed by a third party?

1 Reply
Best Response confirmed by Nexxic (New Contributor)
Solution

@Nexxic 

1) Yes, for now.

2) The SAS key is very secure.  If you lock down Azure Sentinel so that only those people who need to get in can get in then you should be fine.   I generally put my files for Azure Sentinel in their own container so even if someone gets the key the worse case is they see only those files.   You can even go further and create a new container per file to make it even more secure.