External data in MDE advanced hunting

Iron Contributor

is it possible to reference external data, such as in Azure storage or data service, inside an MDE advanced hunting query?

2 Replies
best response confirmed by jbmartin6 (Iron Contributor)
Yes that is an option. you will want to use the External Data operator.

Here is an example of how it will work.
let AsrDescriptionTable = externaldata (RuleDescription:string, RuleGuid:string)
| where ActionType startswith "Asr" and InitiatingProcessFileName endswith ".exe"
| extend RuleGuid = tolower(tostring(parsejson(AdditionalFields).RuleId))
| extend AuditMode = parse_json(AdditionalFields).IsAudit
| join kind = leftouter (AsrDescriptionTable | project RuleGuid = tolower(RuleGuid), RuleDescription) on RuleGuid
| summarize count() by tostring(AuditMode), RuleDescription, ActionType
Thanks! I thought I had tried this before to no avail, but it works so far. Now I need to figure out how to use this to reference data in our Azure storage hub. Baby steps.