Forum Discussion
MicrosoftExternal file support in KQL - Azure Sentinel
Sanket26 Yes. See the following for an example:
There you go Sanket26
externaldata (Everything:string) [@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt",ignoreFirstRecord=true) // reading each line as a string
| where Everything !startswith "#" //removing the lines that started with '#'
| project Everything=parse_csv(Everything) // parsing the string as csv
| project ja3_md5=Everything[0],Firstseen=Everything[1],Lastseen=Everything[2], Listingreason=Everything[3] //splitting the csv into columnsI've added some comments for you to know what I was doing.
Let me know if this was helpful!
MicrosoftThank a lot. It really helped. The issue is resolved. I am now able to fetch data directly from the http page. The part I was missing was I didn't perform the parsing on the csv as a result I wasn't getting the schema as expected.
- Rod_Trent
Sanket26 Maybe its just me...but we are talking about security, right? While you *can* access data over https/http/remote_locations, is that really a best practice? The link I provided to the information earlier was to ensure that your blacklist/whitelist information was being stored within your own tenant/network. I suspect, if you have Analytics Rules enabled, that URL you shared may show up as an entity for an investiation. 🙂
- Sanket26
I totally agree to your point. The https link I provided is just a sample to identify if there is any option where these feeds can be directly utilized in kusto. Accessing those data over third party https/http/remote_locations is definitely not a best security practice. We will be uploading these to our internal websites and from there we will be accessing those.
Let me know if this clarifies your concern?
