0

我正在尝试根据 !hassuffix 字符串运算符将 Azure 哨兵规则中的一堆域列入白名单。

我试图做这样的事情:

AzureDiagnostics
| where destinationDomain !hassuffix ".google.com" and destinationDomain !hassuffix ".azure.com"

但是因为会有很多列入白名单的域和子域希望将根域/子域存储在一个列表中,该列表将在 blob 存储中,例如:

let whitelist = dyanmic([".google.com", ".azure.com" .........])

有谁知道遍历这些语法并检查每个动态数组元素的destinationDomain !hassuffix 的语法?或者是拥有墙的唯一方法?谢谢

4

2 回答 2

0

没有这样的功能。你应该matches regex改用。

于 2020-09-08T05:13:26.557 回答
0

这可能不是最有效的方法,但您可以跨白名单执行跨产品类型连接,对每个执行 !hassuffix 检查,然后查看通过(我猜是失败?)检查的计数。对于较小的白名单和表格,它应该可以,并且更容易修改/维护。

let AzureDiagnostics = datatable(destinationDomain: string)
[
"test.google.com",
"test.notallowed.com",
"other.azure.com",
"alsonotallowed.azure2.com"
];
let Whitelist = datatable(allowedSuffix: string, dummy: long)
[
".google.com", 1,
".azure.com", 1,
];
AzureDiagnostics
| extend dummy=1 // add a dummy column for cross product join
| lookup Whitelist on dummy // do cross product (lookup used assuming Whitelist is small)
| where destinationDomain !hassuffix(allowedSuffix) // perform the suffix check
| summarize count() by destinationDomain // since the list was broken up, get the count of passes
| where count_ == toscalar(Whitelist | count) // if the !hassuffix was true for all (the count) keep the result
| project destinationDomain // get rid of the count column
于 2020-09-14T02:58:48.123 回答