TI map in several tables

mikhailf · ‎Apr 27 2023

Hello Tech Community,

We are trying to map TI indicators in several tables in Sentinel.

It is clear how to take 1 type of indicator (IP, for example) and look for it in 1 table (firewalls, for example).

But what if we want to build only 1 KQL for it and we want to look for this indicator in firewalls, switches, mail relay, etc.

We've tried to play with union/joins, but without success. The only message we received was about exessive amount of resources required to perform the query :D

Has anyone here built something like this? What are the pros and cons of such a query?

mikhailf · ‎Apr 27 2023

Is this for a Rule or just a query - Rules need to be performant and the "excessive resource warning" is worth taking into consideration. You can improve this by identifying each Column in each table to aid the query (but that's a lot of work and hard to maintain). Its a reason Microsoft Rules are per Table generally
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules

Ad-hoc queries are less of an issue.

mikhailf · ‎Apr 27 2023

Is this for a Rule or just a query - Rules need to be performant and the "excessive resource warning" is worth taking into consideration. You can improve this by identifying each Column in each table to aid the query (but that's a lot of work and hard to maintain). Its a reason Microsoft Rules are per Table generally
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/Analytic%20Rules

Ad-hoc queries are less of an issue.

View solution in original post

TI map in several tables

TI map in several tables

Re: TI map in several tables

Re: TI map in several tables

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

TI map in several tables