Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

Azure Sentinel News Editor by Azure Sentinel News Editor
January 1, 2021
in Security Operations
0
Microsoft suspends 18 Azure accounts tied to China-based hackers
7.4kViews
455 Shares Share on Facebook Share on Twitter

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good handle on the ins-and-outs of working with Azure Sentinel. I won’t dig deep into those here, but instead give an overview for this specific daily task.

For customers that want deeper dives for Azure Sentinel, you have a few options:

In fact, this particular blog series is being developed into a workshop on its own and will also cover the additional, deeper knowledge for taking next steps.

NOTE: Depending on the size of the SOC, the daily task covered here is generally associated with a Tier 1 or Tier 2 analyst. For smaller teams, or environments where there is no dedicated security team, this task may be distributed to anyone who has capability to perform it. BUT, this task should definitely be performed daily.

Digging In

In addition to performing Investigations daily, a Sentinel analyst will want to dig through the list of available Hunting queries to see if there are signs of potential threats.

(click on each image for a larger view)

Notice in the image that there are “gold stars” shown in the Hunting query display. These are Hunting queries that have been identified prior by the analyst as “favorites” or queries that are important to the environment that contain information deemed critical to monitor (It’s easy to set favorite queries just by clicking the star). Every time the analyst accesses the Hunting blade in the Azure Sentinel console these specific queries run automatically, providing the ability to the analyst to perform a quick review of the Results column.

From here, the analyst will want to View Results of the queries that show data returns.

From the query Results window, the analyst will want to search through, find items of interest, select them using the checkboxes, and then create Bookmarks that can be used to investigate or assign to another tier analyst.

After creating the Bookmarks for later review, the analyst may want to execute any Playbooks that have been pre-created and designed to handle any of the specific Hunting results.

Finally, the analyst should review existing Bookmarks to verify age and if new Incidents need to be created.

Again, for customers that want deeper dives for Azure Sentinel, either sift through our docs platform or contact your TAM and ask about our Azure Sentinel workshop/POC.

Reference: https://azurecloudai.blog/2020/04/14/azure-sentinel-daily-task-hunting-queries-and-bookmarks/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
Security Operations

Exporting Events from Disconnected Systems to Ingest into Azure Sentinel

January 1, 2021
Next Post
Vectra AI and Microsoft partner on security integration

Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel

Microsoft is quietly becoming a cybersecurity powerhouse

Official Azure Sentinel PowerShell Module Released

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Evolve the SOC with Azure Sentinel: Hunting Queries

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Vectra AI and Microsoft partner on security integration

Using the VirusTotal V3 API with MSTICPy and Azure Sentinel

3 months ago
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

How to Query HaveIBeenPwned Using an Azure Sentinel Playbook

2 months ago
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

What’s New: PowerShell+Azure Sentinel notebooks to supercharge your hunting and investigations!

3 months ago
Monitoring your Logic Apps Playbooks in Azure Sentinel

Monitoring your Logic Apps Playbooks in Azure Sentinel

5 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News