Call Azure Blob Storage File from Defender for Endpoint Advanced Hunting KQL

Question

I have a CSV I put in Azure Blob Storage and I want to call it from Microsoft Defender for Endpoint, Advanced Hunting KQL... I generated the SAS token and I'm able to wget the file from anywhere using the full URL with SAS token. But how do I grab it from MDE KQL...

Here's my attempt, obviously, I altered a few letters -

let testurls = 
externaldata (url:string) [
// URL to the file
@"https://blahblah01.blob.core.windows.net/indicators/testing123.csv"
// Secret token to the file
h"?sp=r&st=2022-11-07T19:46:22Z&se=2022-11-08T03:46:22Z&spr=https&sv=2021-06-08&sr=b&sig=rtblahblahblah" 
]
| project url;
testurls

But

wget "https://blahblah01.blob.core.windows.net/indicators/testing123.csv?sp=r&st=2022-11-07T19:46:22Z&se=2022-11-08T03:46:22Z&spr=https&sv=2021-06-08&sr=b&sig=rtblahblahblah" 

downloads the file.

Is there something I'm doing wrong?

Thanks!!!

oh wow, here's the response I get, thank you Yoni L.!

Error message
Access to persistent storage path 'https://blahblah01.blob.core.windows.net/indicators/testing123.csv' was denied

I was trying to imitate this, maybe it's not even possible. https://www.catapultsystems.com/blogs/querying-data-from-blob-store-in-a-log-analytics-query/

Answer 1

The above code does work, I had to get an Azure Admin to help lock down the storage account and the firewall, and then we added the Microsoft public IP addresses to the firewall.. https://www.microsoft.com/en-us/download/details.aspx?id=53602 The 52. addresses seem to do the trick.

Appreciate the comments!