cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Storing static data in table to use in KQL

Pavan_Gelli1910
Brass Contributor

‎Jan 05 2020 11:15 PM - last edited on ‎Dec 23 2021 04:46 AM by

‎Jan 05 2020 11:15 PM - last edited on ‎Dec 23 2021 04:46 AM by

Storing static data in table to use in KQL

Unable to maintain static/dynamic data sets for below sample use cases.

 

Use Cases:

 

  1. Increase in failed domain admin account logins detected
  2. Password change or rest on known privileged account
  3. Interactive login (Success or Failed) from Service Account

Ex: Interactive login (Success or Failed) from Service Account:

 

Ideally service accounts are used for application level integration. We need to trigger an alert if interactive/remote interactive login observed from service accounts.

 

Current work around: I have hard coded the all our service accounts in the KQL query. Which is not feasible in long run.

 

Challenge: If new service accounts are provisioned. We are missing monitoring on those service accounts until I add them in KQL Query.

 

Ask: Is there any workaround, KQL to get the data from storage account like blob / can I create table /AD using scripts on scheduled basis /store in log analytics.

 

Please help.

Labels:
2,640 Views
0 Likes
4 Replies
Reply
4 Replies
Thijs Lecomte

‎Jan 06 2020 12:42 AM

‎Jan 06 2020 12:42 AM

Re: Storing static data in table to use in KQL

What I would do in that moment is add the service accounts to a specific group or use a unique attribute and filter your KQL query to that attribute
0 Likes
Reply
Gary Bushey

‎Jan 06 2020 03:54 AM

‎Jan 06 2020 03:54 AM

Re: Storing static data in table to use in KQL

@Pavan_Gelli1910 You can create your own custom log table and add the entries there.  This page has a PowerShell script that shows you the steps.  It should be easy enough to modify for your needs or to use it as a basis for a different language.

 

https://gallery.technet.microsoft.com/PowerShell-script-to-0823e09d

 

1 Like
Reply
best response confirmed by Pavan_Gelli1910 (Brass Contributor)
Gary Bushey

‎Jan 06 2020 04:13 AM

‎Jan 06 2020 04:13 AM

Solution

Re: Storing static data in table to use in KQL

@Pavan_Gelli1910 Just saw this timely post on the Azure Sentinel blog page.  Could help.

 

https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-...

1 Like
Reply
Pavan_Gelli1910

‎Jan 07 2020 01:02 AM

‎Jan 07 2020 01:02 AM

Re: Storing static data in table to use in KQL

This is really the best article to address my ask. Thanks
0 Likes
Reply