Forum Discussion

omrip's avatar
omrip
Copper Contributor
Oct 10, 2019
Solved

Managing lists

how can i manage a list on Sentinel for instance- i have a list of known assets that hold hundreds+ assets and when the search runs i would like to search and check if there is a hit in the list ob...
KQL
  • CliveWatson's avatar
    CliveWatson
    Oct 13, 2019

    Hi omrip 

     

    I struggling to understand what you are asking here, so sorry to ask again? 

     

    Are you trying to read from a file, if so see https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/   If you are trying to create a file from Log Analytics, you can't do that, only read from a file is possible using externaldata operator as per my example.  You can build lists on the fly / at run time with a data table as shown.  

    If it's a file you need to upload, perhaps on a schedule, you might need to use Logic Apps to control that workflow/process.  Then read from it with extrernaldata and parse the JSON (if it's JSON )

omrip's avatar
omrip
Copper Contributor
Feb 25, 2020

CliveWatson

i got it using  

externaldata (Type:string, Indicator:string , Campaign:string ) [
@"https://xxxxxxxx.csv"]
 
1. how to i search for a hit of the IOC's on all of the tables on sentinel.
2. how do i do that on specific tables
CliveWatson's avatar
CliveWatson
Former Employee
Feb 25, 2020

omrip 

https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306

The above has examples like this (adapt the whitelist line to your own file)

let timeRange = 1d;
let whitelist = externaldata (UserPrincipalName: string) [h"https://..."] with (ignoreFirstRecord=true);
SigninLogs
| where TimeGenerated >= ago(timeRange)
| where UserPrincipalName !in~ (whitelist)

 

Using your data across all tables, would need a union or join e.g. (jusr replace the fake whitelist with your one). 

externaldata (Type:string, Indicator:string , Campaign:string ) [

 

let whitelist = dynamic(["fake IOC","another fakeIOC"]);
union withsource=TableName *
| where Indicator in (whitelist)

 

Resources