Defender for Endpoint Github/Gitlab Connection for KQL Queries

Contributor

Hello All, 

 

We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections.  

 

The CSV’s are used in Microsoft Defender for Endpoint KQL queries like this…

((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superduckto

or this

externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/A

Our first option for storing the queries is an internal gitlab. 

Being new to MDE, I wasn't sure how we could do it.  Would we connect gitlab to Defender like this document states for github and Azure?   

Connect GitHub and Azure | Microsoft Docs

Thus, allowing Defender to run the KQL queries and grab the 'externaldata(CSVs)' from our gitlab? 

 

Thanks!! 

 

 

5 Replies

Using externaldata will (if my understanding is correct) require a URL that is publicly available, or a URL that includes authentication, such as a SAS token when using Azure blob storage.

I honestly have no experience using github, but I do not think it is possible to allow MDE as a service to access internal github resources since the connection will be done over public internet.

Hey Jonhed! It's an internal gitlab(our network), the end goal is just to have some lists -
1) Our public IP addresses
2) Objects in our sensitive groups etc. for checking during queries and alerts.

That we can use to enhance some of the KQL queries and signatures we use, but, I'd like to have to a way to reasonably secure them in our network. I'm not seeing an easy way to connect them. I don't want to set up an internal pastebin but that may be the only option.

Yea, I understand why you want to keep it private.

Maybe using an azure blob storage with SAS tokens would be more secure than the pastebin, but not really sure.

If you were using Microsoft Sentinel you could easily do this by importing those CSV files as watchlists, which could be used in queries, but MDE does not seem to have any convenient way to do this.

Oh, the Microsoft Sentinel Watchlist to MDE idea actually sounds perfect!!! I found this - https://docs.microsoft.com/en-us/azure/sentinel/watchlists

And you can query Sentinel Watchlist from Defender for Endpoint?

Sorry, I may have been a bit vague.

The watchlists can only be used within Microsoft Sentinel, and not from within MDE.
You would have to import the Device logs (DeviceInfo, DeviceNetworkEvents etc etc) into Microsoft Sentinel and then run the hunting queries on the Sentinel side.

Importing the device logs can be done very easily with the Sentinel data connector.
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-m...

You might be doing some pivoting between the Sentinel console and Microsoft 365 Defender console in some cases, but anything with queries will run better in Microsoft Sentinel.