Jaysec
Reputation: 37
Azure Sentinel referencing large sets of data
I've been trying to find the most effective (elegant) solution to achieve what I'm trying to do. I'd like to hear from the community, thank you.
Situation:
- Need to geo-enrich IP Address records on Sentinel. Example: Successful SigninLogs, since MSFT enrichment sometimes generates "Unknown" results in the IP enrichment maps.
- External reference file (subnet, country_code, country_name) are available publicly, however the size and # of records are rather large. (~12MB, 200K+records).
Issue:
- Tried using storage account blob to host the "reference table", apparently hitting the limit on max. blob size in Storage Account.
- Looks like there are max. 30.000 records on Workbooks to read from external sources using 'externaldata' command. Hence, only partial reference data can be read and referred to.
Options considered:
- Ingest the reference table into the log analytics workspace, do a join/lookup to this custom reference table for enrichment
- Export the IP addresses from SigninLogs table to a blob storage, enrich the IP address using logicapps, and then put it back to a 'reference' blob storage. then read the 'reference' blob storage using 'externaldata' syntax.
Limitation Observed:
- Came to a realization that Sentinel couldn't perform API call for enrichment from external data. (CMIIW). I've done similar stuff with Splunk, and we could enrich the data on the fly, by calling in multiple API calls to outside database.
Upvotes: 0
Views: 748
Answers (2)
roflmaowpimp
Reputation: 111
Since March 2022, you can upload large CSV files into a Sentinel Watchlist. This way, you can upload a complete GeoIP database and perform ipv4_lookups. This blog post explains you how to do this: https://cryptsus.com/blog/enrich-geolocation-sentinel-siem.html
Upvotes: 0
TheAlistairRoss
Reputation: 321
- Ingest the Data - As you've mentioned, ingest the data and join the tables. You would need to regularly ingest this though to ensure you can lookup the data within the desired time range (e.g. If you have an Analytics Rule, then this only looks up data for a 14 day period).
- Use a Playbook - If you want the Geo-IP lookup post incident, you can perform this with a Logic App
- Use Jupyter Notebooks - This have the flexibility to perform API calls against external locations and join the data to that hosted in Sentinel. An example notebook is the IP Explorer Notebook. Use Jupyter notebooks to hunt for security threats
- Threat Intelligence - Microsoft enriches all imported threat intelligence indicators with GeoLocation and WhoIs data, which is displayed together with other indicator details.
Upvotes: 1
Related Questions
- Take output from query and use in subsequent KQL query
- Multiple dates within KQL query
- Strategies for working with more than 30k records in Azure Log Analytics results?
- Azure Sentinel Sample data CSV
- Execute Kusto query present in the Table result
- Azure Sentinel Kusto query table with data from another query
- Kusto Search across Sentinel workspaces from a watchlist
- How to efficiently filter Azure (kusto) container logs
- Using KQL to search on subnets
- Azure Data Explorer Query Language-batches and materialize