Share via

Sentinel Crashing when Running Lookup Search. Trying to find stale Firewall rules.

Christian Lozach 1 Reputation point
2020-12-17T20:00:09.837+00:00

Hello, I'm trying to implement a lookup search that takes a lookup of all of our firewall rules and correlates it with our firewall data to then output what firewall rules are NOT present in the firewall logs. This is to trim down on any stale firewall rules we have. Although, when I run the below search my Sentinel crashes(freezes) and I need to reload it. I have yet to finish the complete search because of this, so any input on how I should be implementing this would be greatly appreciated. I am trying to store all the firewall rules from the lookup in to the allRules variable and if I could get that working then do a make_list of the firewall rules used in our logs. Then do a comparison of allRules !in usedRules to find the rules that are not being utilized. The lookup itself works fine. The current search will crash my Sentinel. And if I move the make_list command before the join I get an error in the join command. Not sure how to pivot from this so any help would be appreciated. SAS url is obfuscated.

externaldata (rulelabel: string) [h@"https://.file.core.windows.net/"] with (format='txt', ignoreFirstRecord=true)
//| summarize allRules = make_list(rulelabel)
| join (CommonSecurityLog | where DeviceProduct == "NSSFWlog") on $left.rulelabel == $right.Activity
| summarize allRules = make_list(rulelabel)

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
996 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yaron Fruchtmann 1 Reputation point Microsoft Employee
    2020-12-20T12:17:16.887+00:00

    Hi @Christian Lozach ,

    The error in line 4 is due to a missing "=" symbol: use "==" instead of "="

    Please try this: (replace the external data url with the correct one) 

    externaldata (rulelabel: string) [h@"<deprecaped>"] with (format='txt', ignoreFirstRecord=true)  
| distinct rulelabel  
| join kind=leftanti  
(CommonSecurityLog | where DeviceProduct == "NSSFWog" | distinct Activity) on $left.rulelabel==$right.Activity

    I hope this works for you!

  2. Yaron Fruchtmann 1 Reputation point Microsoft Employee
    2021-01-04T08:29:58.47+00:00

    Hey @Christian Lozach ,

    I am not clear what doesn't work for you, but the above query is expected tp only return the "useless" rules: rules that exist on the DB (external data) but are never triggered (not seen on CommonSecurityLog). Is that not the case?

    0 comments