Sentinel KQL - Is there an easy way to whitelist say Alexa top 10k Site?

Decypher 1 Reputation point
2021-05-07T19:11:42.49+00:00

I am curious if in Sentinel KQL alerts if there is an easy way to whitelist say the Alexa top 10k instead of ........

| where Name !has "cnr.io" and Name !has "kr0.io" and Name !has "arcticwolf.net" and Name !has "webcfs00.com" and Name !has "barracudabrts.com"and Name !has "trendmicro.com" and Name !has "sophosxl.net" and Name !has "spotify.com" and Name !has "e5.sk" and Name !has "mcafee.com" and Name !has "opendns.com" and Name !has "spameatingmonkey.net" and Name !has "_ldap" and Name !has "_kerberos" and Name !has "modsecurity.org" and Name !has "fdmarc.net" and Name !has "ipass.com" and Name !has "wpad"

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
607 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson - MSFT 106 Reputation points
    2021-05-10T07:30:20.32+00:00

    You can do a NOT list in this way as well

    SecurityIncident
    | where Title !in ('Suspicious Activity Generated by Host','Azure activity matching known threats','Atypical Travel')

    or like this

    let _exclude = dynamic(['Suspicious Activity Generated by Host','Azure activity matching known threats','Atypical Travel']);
    SecurityIncident
    | where Title !in (_exclude)

    If you need a large list and want it centralized then a Watchlist would be my advise. https://learn.microsoft.com/en-us/azure/sentinel/watchlists

    There is also, ways to counts top 10 (or 10k), example below

    SecurityIncident
    | summarize count() by Title
    | top 10 by count_

    No comments