cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender for Endpoint Github/Gitlab Connection for KQL Queries

mathurin68
Brass Contributor

‎Dec 17 2021 04:00 PM

‎Dec 17 2021 04:00 PM

Defender for Endpoint Github/Gitlab Connection for KQL Queries

Hello All, 

 

We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections.  

 

The CSV’s are used in Microsoft Defender for Endpoint KQL queries like this…

((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superduckto

or this

externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/A

Our first option for storing the queries is an internal gitlab. 

Being new to MDE, I wasn't sure how we could do it.  Would we connect gitlab to Defender like this document states for github and Azure?   

Connect GitHub and Azure | Microsoft Docs

Thus, allowing Defender to run the KQL queries and grab the 'externaldata(CSVs)' from our gitlab? 

 

Thanks!! 

 

 

2,742 Views
0 Likes
5 Replies
Reply
5 Replies
Jonhed

‎Dec 21 2021 07:16 AM - edited ‎Dec 21 2021 07:18 AM

‎Dec 21 2021 07:16 AM - edited ‎Dec 21 2021 07:18 AM

Re: Defender for Endpoint Github/Gitlab Connection for KQL Queries

Using externaldata will (if my understanding is correct) require a URL that is publicly available, or a URL that includes authentication, such as a SAS token when using Azure blob storage.

I honestly have no experience using github, but I do not think it is possible to allow MDE as a service to access internal github resources since the connection will be done over public internet.

0 Likes
Reply
mathurin68

‎Dec 21 2021 08:19 AM

‎Dec 21 2021 08:19 AM

Re: Defender for Endpoint Github/Gitlab Connection for KQL Queries

Hey Jonhed! It's an internal gitlab(our network), the end goal is just to have some lists -
1) Our public IP addresses
2) Objects in our sensitive groups etc. for checking during queries and alerts.

That we can use to enhance some of the KQL queries and signatures we use, but, I'd like to have to a way to reasonably secure them in our network. I'm not seeing an easy way to connect them. I don't want to set up an internal pastebin but that may be the only option.
0 Likes
Reply
Jonhed

‎Dec 21 2021 08:43 AM - edited ‎Dec 21 2021 09:32 AM

‎Dec 21 2021 08:43 AM - edited ‎Dec 21 2021 09:32 AM

Re: Defender for Endpoint Github/Gitlab Connection for KQL Queries

Yea, I understand why you want to keep it private.

Maybe using an azure blob storage with SAS tokens would be more secure than the pastebin, but not really sure.

If you were using Microsoft Sentinel you could easily do this by importing those CSV files as watchlists, which could be used in queries, but MDE does not seem to have any convenient way to do this.

0 Likes
Reply
mathurin68

‎Dec 22 2021 06:35 AM

‎Dec 22 2021 06:35 AM

Re: Defender for Endpoint Github/Gitlab Connection for KQL Queries

Oh, the Microsoft Sentinel Watchlist to MDE idea actually sounds perfect!!! I found this - https://docs.microsoft.com/en-us/azure/sentinel/watchlists

And you can query Sentinel Watchlist from Defender for Endpoint?
0 Likes
Reply
Jonhed

‎Dec 22 2021 05:05 PM - edited ‎Dec 22 2021 05:06 PM

‎Dec 22 2021 05:05 PM - edited ‎Dec 22 2021 05:06 PM

Re: Defender for Endpoint Github/Gitlab Connection for KQL Queries

Sorry, I may have been a bit vague.

The watchlists can only be used within Microsoft Sentinel, and not from within MDE.
You would have to import the Device logs (DeviceInfo, DeviceNetworkEvents etc etc) into Microsoft Sentinel and then run the hunting queries on the Sentinel side.

Importing the device logs can be done very easily with the Sentinel data connector.
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-m...

You might be doing some pivoting between the Sentinel console and Microsoft 365 Defender console in some cases, but anything with queries will run better in Microsoft Sentinel.

0 Likes
Reply