cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

External data in MDE advanced hunting

jbmartin6
Iron Contributor

‎Jul 08 2022 10:30 AM

‎Jul 08 2022 10:30 AM

External data in MDE advanced hunting

is it possible to reference external data, such as in Azure storage or data service, inside an MDE advanced hunting query?

2,077 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by jbmartin6 (Iron Contributor)
dougsbaker

‎Jul 08 2022 10:52 AM

‎Jul 08 2022 10:52 AM

Solution

Re: External data in MDE advanced hunting

Yes that is an option. you will want to use the External Data operator.
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azured...

Here is an example of how it will work.
let AsrDescriptionTable = externaldata (RuleDescription:string, RuleGuid:string)
[
@"http://dougsbaker.com/wp-content/uploads/2021/02/ASR-KQL.txt"
]
with(format="csv");
DeviceEvents
| where ActionType startswith "Asr" and InitiatingProcessFileName endswith ".exe"
| extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
| extend AuditMode = parse_json(AdditionalFields).IsAudit
| join kind = leftouter (AsrDescriptionTable | project RuleGuid = tolower(RuleGuid), RuleDescription) on RuleGuid
| summarize count() by tostring(AuditMode), RuleDescription, ActionType
0 Likes
Reply
jbmartin6

‎Jul 11 2022 08:33 AM

‎Jul 11 2022 08:33 AM

Re: External data in MDE advanced hunting

Thanks! I thought I had tried this before to no avail, but it works so far. Now I need to figure out how to use this to reference data in our Azure storage hub. Baby steps.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by jbmartin6 (Iron Contributor)
dougsbaker

‎Jul 08 2022 10:52 AM

‎Jul 08 2022 10:52 AM

Solution

Re: External data in MDE advanced hunting

Yes that is an option. you will want to use the External Data operator.
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azured...

Here is an example of how it will work.
let AsrDescriptionTable = externaldata (RuleDescription:string, RuleGuid:string)
[
@"http://dougsbaker.com/wp-content/uploads/2021/02/ASR-KQL.txt"
]
with(format="csv");
DeviceEvents
| where ActionType startswith "Asr" and InitiatingProcessFileName endswith ".exe"
| extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
| extend AuditMode = parse_json(AdditionalFields).IsAudit
| join kind = leftouter (AsrDescriptionTable | project RuleGuid = tolower(RuleGuid), RuleDescription) on RuleGuid
| summarize count() by tostring(AuditMode), RuleDescription, ActionType

View solution in original post

0 Likes
Reply