Table of Contents
Create custom hunting queries
Like stated in the last part, all Gallery content has been Centralized to Content hub. You will see the following notification under Custom hunting rules. https://learn.microsoft.com/en-us/azure/sentinel/sentinel-content-centralize
If you need inspiration based on MITRE Framework for your hunting queries, you can use framework browser and choose Hunting queries from Simulated.
Or use Content hub to find Sentinel Training Lab solution.
Inside the training lab is an extensive collections of different modules. Just click the picture!
Run hunting queries manually
For this demonstration I will create an Conditional access policy that Block Azure and other Admin portal from a specific user.
And the user tries to login, they will be presented with this
And this will be shown in the Sign-in logs
Yes, this feature is now in Public Preview
You run a query manually by select Queries and Run query.
Let’s if Diego gets hit by this query.
And there he is, when you integrate the appropriate Data sources to Sentinel, you have almost limitless possibilities to gather content with your Custom or Content hub originated queries.
See more on Hunting queries from Learn.
Monitor hunting queries by using Livestream
What you can do with it?
You may conduct queries on Livestream, and it will notify you of any updated results every 30 seconds.
Test newly created queries as they occur
It is possible to test and modify queries without interfering with any active rules being used to regulate events. By selecting “Elevate to alert” when the queries have been demonstrated to function as intended, the queries may then be elevated as custom alert rules.
Launch investigations
View some (or any) action in the log data as it occurs on that asset and be alerted when such activity occurs if there is an ongoing investigation in the company concerning an asset like a host or user.
Get notifications of threat feed matches
Threat data feeds, which are continuous streams of information about prospective or existing threats, are compared to aggregated log data, and any matches that could point to a problem are alerted to. When you want to be informed of a possible problem without the hassle of maintaining a custom alert rule, create a Livestream instead of a custom alert rule.
How to use Livestream?
Open your Hunting queries and choose Add to livestream under the three dots.
And you will see the queries running under Livestream.
And you can create an Analytics rule for the Livestream job
See this older article from Microsoft with the quick-wins. The interface has been changes but the use-cases are still accurate.
And see more from Learn on Livestream
Configure and use MSTICPy in notebooks
MSTICPy is a Python library of Cybersecurity tools built by Microsoft, which provides threat hunting and investigation functionality.
Getting Started Guide for Microsoft Sentinel ML Notebooks notebook uses MSTICPy.
And you will need Azure Machine learning to deploy the template, as the templates is deployed to it.
When you Azure ML provisioned, you can continue with the setup
And it will open Machine Learning Studio
Prerequisites for (pronounced miss-tick-pie) <- Pronunciation of MSTICPy
- Log Analytics Reader permissions on the Microsoft Sentinel workspace
- Python 3.8 notebook kernel (
Python 3.8 - Azure ML
)
YAML file is used by MSTICPy to store a variety of configuration information. By default, the notebook startup method creates a msticpyconfig.yaml file.
The most widely used programming languages list constantly includes the data serialization language YAML. Although its object serialization capabilities make it a potential alternative to languages like JSON, it is frequently used as a format for configuration files.
Create a compute and connect to Azure
Once the authentication is successful, you are ready to use Azure SDK
And magic!
See this guide from Learn for more information
And this from MSTIC Jupyter and Python Security Tools
Azure Machine Learning studio hosted environment.
Perform hunting by using notebooks
You may create and share documents with live code, equations, graphs, and explanatory text using a Jupyter Notebook. Data transformation and cleansing, numerical simulation, statistical modeling, machine learning, and many more applications are some examples. You can do more with Microsoft Sentinel data thanks to Jupyter. It combines complete programming flexibility with a sizable library collection for data analysis, visualization, and machine learning.
There are two parts to notebooks:
- The browser-based interface, which allows you to enter and execute code and queries and display the execution results.
- The kernel itself is in charge of processing and running the code.
You can find predefined Notebooks in GitHub.
See more here for the code inside Notebooks.
Track query results with bookmarks
There may be occasions when you need to maintain track of the outcomes of previously executed queries while conducting investigations. It’s possible that another user will be taking over the inquiry or that you must focus on another topic and will return to this one later. Additionally, you might need to save some outcomes as proof of an occurrence. In any case, you may store this information for later by using a bookmark.
You can find Add bookmark from query and by selecting the result.
You can also use API calls to create or update a Bookmark
You define the following information for the Bookmark
You should do the following for the Bookmarks:
- Give your bookmarks meaningful names.
- Add thorough remarks or notes to each bookmark.
- Exchange bookmarks with other investigational personnel.
- To keep the bookmark list organized and current, delete any outdated bookmarks.
- Once you add the Bookmark, you can see under Hunting and Bookmarks
The bookmark is deleted and is no longer listed in the Bookmark tab. Previous bookmark entries will still be present in the HuntingBookmark table for your Log Analytics workspace, but the most recent item will set the SoftDelete value to true, making it simple to filter out earlier bookmark entries.
Any entities connected to other bookmarks or alerts remain in the investigation experience even after a bookmark has been deleted.
Use hunting bookmarks for data investigations
You can also use Bookmarks for Investigation
And you have following methods for them:
- Create new incident
- Add to existing incident
- Remove from incident
You can assign a Severity and a Owner for the Incident
And removing the Bookmark from the incident
And you can add it to Existing incident
Did you know that you can manually Create an Incident?
You can see Bookmark logs under Bookmark Logs
And how you will see the results
Convert a hunting query to an analytical rule
Security analysts may proactively look for possible security issues in their surroundings by hunting in Microsoft Sentinel.
On the other hand Analytical rules enhance the hunting capabilities while hunting queries offer insights into security incidents. They enable security teams to automate threat detection and mitigation.
The rule creation has the same wizard.
After the Analytics rule is created you can delete the Hunting query or just leave it, it depends on your own processes.
Note that you cannot directly delete a Hunting query that is import with a Content hub solution.
But the Custom query you can just Delete without any questions asked.
Closure
That is the end of my SC-200 study guide, hopefully you found it inspiring and helpful.
For the last, let’s see what we have learned in this last section.
Content hub, Content hub and Content hub is the place to be. https://learn.microsoft.com/en-us/azure/sentinel/sentinel-content-centralize
Livestream will notify you of any updated results every 30 seconds.
Livestream helps you to Test newly created queries as they occur, Launch investigations, Get notifications of threat feed matches
MSTICPy is a Python library of Cybersecurity tools built by Microsoft, which provides threat hunting and investigation functionality.
Getting Started Guide for Microsoft Sentinel ML Notebooks notebook uses MSTICPy.
And you will need Azure Machine learning to deploy the template, as the templates is deployed to it
Data serialization language YAML is a potential alternative to languages like JSON
There are two parts to notebooks:
- The browser-based interface, which allows you to enter and execute code and queries and display the execution results.
- The kernel itself is in charge of processing and running the code.
You can Sentinel portal or use API calls to create or update a Bookmark
And you have following methods for them:
- Create new incident
- Add to existing incident
- Remove from incident
After the Analytics rule is created you can delete the Hunting query or just leave it, it depends on your own processes.
And last if you missed this, you can access the Labs from here
Link to main post
Thank you!
For this last post I will like to thank you all for reading and supporting. All the feedback is more than welcome from my audience because you are the ones that these post are for. Raising the community, because the community raised me!