Dec 17 2021 04:00 PM
Dec 17 2021 04:00 PM
We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections.
The CSV’s are used in Microsoft Defender for Endpoint KQL queries like this…
((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superduckto
Our first option for storing the queries is an internal gitlab.
Being new to MDE, I wasn't sure how we could do it. Would we connect gitlab to Defender like this document states for github and Azure?
Thus, allowing Defender to run the KQL queries and grab the 'externaldata(CSVs)' from our gitlab?
Dec 21 2021 07:16 AM - edited Dec 21 2021 07:18 AM
Using externaldata will (if my understanding is correct) require a URL that is publicly available, or a URL that includes authentication, such as a SAS token when using Azure blob storage.
I honestly have no experience using github, but I do not think it is possible to allow MDE as a service to access internal github resources since the connection will be done over public internet.
Dec 21 2021 08:19 AM
Dec 21 2021 08:43 AM - edited Dec 21 2021 09:32 AM
Yea, I understand why you want to keep it private.
Maybe using an azure blob storage with SAS tokens would be more secure than the pastebin, but not really sure.
If you were using Microsoft Sentinel you could easily do this by importing those CSV files as watchlists, which could be used in queries, but MDE does not seem to have any convenient way to do this.
Dec 22 2021 06:35 AM
Dec 22 2021 05:05 PM - edited Dec 22 2021 05:06 PM
Sorry, I may have been a bit vague.
The watchlists can only be used within Microsoft Sentinel, and not from within MDE.
You would have to import the Device logs (DeviceInfo, DeviceNetworkEvents etc etc) into Microsoft Sentinel and then run the hunting queries on the Sentinel side.
Importing the device logs can be done very easily with the Sentinel data connector.
You might be doing some pivoting between the Sentinel console and Microsoft 365 Defender console in some cases, but anything with queries will run better in Microsoft Sentinel.