我正在尝试根据 !hassuffix 字符串运算符从 Azure 哨兵规则中将一堆域列入白名单。
我正在尝试做这样的事情:
AzureDiagnostics
| where destinationDomain !hassuffix ".google.com" and destinationDomain !hassuffix ".azure.com"
但是因为会有很多列入白名单的域和子域希望将根域/子域存储在一个列表中,该列表将存储在 blob 存储中,例如:
let whitelist = dyanmic([".google.com", ".azure.com" .........])
有谁知道遍历每一个并检查每个动态数组元素的destinationDomain !hassuffix 的语法吗?或者是拥有墙的唯一方法?谢谢
【问题讨论】:
标签: azure azure-data-explorer kql azure-sentinel
没有这样的功能。你应该改用matches regex。
【讨论】:
这可能不是最有效的方法,但是您可以跨白名单进行跨产品类型连接,对每个执行 !hassuffix 检查,然后查看有多少通过(我猜失败了?)检查。对于较小的白名单和表格,它应该没问题,并且更容易修改/维护。
let AzureDiagnostics = datatable(destinationDomain: string)
[
"test.google.com",
"test.notallowed.com",
"other.azure.com",
"alsonotallowed.azure2.com"
];
let Whitelist = datatable(allowedSuffix: string, dummy: long)
[
".google.com", 1,
".azure.com", 1,
];
AzureDiagnostics
| extend dummy=1 // add a dummy column for cross product join
| lookup Whitelist on dummy // do cross product (lookup used assuming Whitelist is small)
| where destinationDomain !hassuffix(allowedSuffix) // perform the suffix check
| summarize count() by destinationDomain // since the list was broken up, get the count of passes
| where count_ == toscalar(Whitelist | count) // if the !hassuffix was true for all (the count) keep the result
| project destinationDomain // get rid of the count column
【讨论】: