Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

Azure Sentinel News Editor by Azure Sentinel News Editor
January 5, 2021
in SOC
0
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
4.9kViews
812 Shares Share on Facebook Share on Twitter

The evolution of the Security Operations Center (SOC) is important. This process is key to enabling your security teams and your security tools to work more efficiently and more intelligently. Without it your security operations become stagnate and incapable of addressing new threats.

As you know, I spend a lot of time working with and educating our customers about Azure Sentinel. Many of the conversations we have is around SOC efficiency and it somewhat shocks me to hear how their old, legacy tools have made them complacent and are most times incapable of evolving. I’ve worked with a lot of customers who have entered the stagnation phase I eluded to in the first paragraph – to the point of becoming desensitized to new threats.

So, I want to expend a series of blog posts talking about SOC evolution and the various areas in Azure Sentinel that make this operation seamless and less painful. I always enjoy, at the end of this conversation with customers, that they’re impressed enough to incorporate evolution and efficiency back into their security operations. That’s a big win for everyone.

This post’s focus is about turning Hunting queries into Analytics Rules.

What

Did you know you can quickly and easily turn a Hunting query into an Analytics Rule?

Why

Why do you want to do this? Well, think about it. Over time, you will develop new Hunting queries to accomplish identifying potential new threats in your environment. These new threats could have been reported in the news, on blog sites, by a security person on Twitter – from whoever or whatever you have identified as a trusted source. But, as part of your process for Hunting, you need to answer the BIG FOUR questions:

  1. Does it exist?
  2. Where does it exist?
  3. Why does it exist?
  4. How do we respond?

After developing your method and building your response, you run the Hunting query you’ve concocted periodically to expose this data to allow you to monitor for threat’s existence. Over time, you may find as part of this procedure that some of the Hunting queries you created become more important for your overall security monitoring. The data that is returned is consistent and constant. It’s not always a compromise, an intrusion, or a direct threat, but it’s important enough that you want to blend it into your normal alerting and investigation system.

In that case, you can eliminate specific Hunting queries from your manual monitoring operations and turn them into automated analysis. By doing this, the Hunting query takes on the role of an Analytics Rule, which provides for running automatically on a schedule, looking through a specific, defined range of data, and even applying an automated response (using Playbooks).

How

Here’s how to do it…

  1. Locate the Hunting query you want to turn into an Analytics Rule and right-click on it.
  2. Choose “Create analytics rule“
Found it!

3. Run through and complete the Analytics Rule wizard. Note that the General tab information and KQL query (rule logic) is automatically transferred to the wizard so you don’t have to recreate everything you’ve worked hard to develop.

Running through the Analytics Rule wizard

4. Go back to the Hunting blade and right-click and delete the old Hunting query. You may decide not to delete the original Hunting query, and that’s OK. Some customers keep them around to use as templates for future Hunting queries. Personally, I choose to delete it. It’s an OCD thing where I have to have everything in neat and in order. But, you do you.

Removing the old Hunting query

By automating a hunt, you’ve effectively improved efficiency and helped evolve the SOC, making it more intelligent and enabling it to work better with the way your specific environment requires.

I’ve seen many customers take full advantage of Azure Sentinel’s SOC evolution processes and build something very unique to the environment that matches exactly what . Azure Sentinel is like the tofu of security tools. It’s a platform that transforms and grows. Based on the data you decide to ingest, the analytics rules you create and enable, the automation you supply, and multitude of other things – utilize Azure Sentinel for 3 months and your implementation will look very different from any other implementation in the world. And that’s a good thing. What other tool can adapt to you like that?

If you’re interested in hearing about more efficiency value with Azure Sentinel specific to Hunting operations, I recently delivered a session on Achieving SOC Operational Efficiency for Azure Sentinel Hunting.

Reference: https://azurecloudai.blog/2021/01/04/evolving-the-soc-with-azure-sentinel-hunting-queries/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

December 31, 2020
Enriching Windows Security Events with Parameterized Function
SOC

New Private Preview Tag in Azure Sentinel

December 30, 2020
Vectra AI and Microsoft partner on security integration
SOC

How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

December 28, 2020
Next Post
What’s new: Microsoft Teams connector in Public Preview

eBook Available for Managing Azure Sentinel with PowerShell

What’s new: Microsoft Teams connector in Public Preview

How to Create a Backup Notification in the Event an Unauthorized User Accesses Azure Sentinel

What’s new: Microsoft Teams connector in Public Preview

How to Create a Backup Notification System in the Event an Unauthorized User Accesses Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Azure Sentinel To-Go (Part1): A Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates 🚀

3 months ago
Enriching Windows Security Events with Parameterized Function

Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

2 months ago
The ‘All-Seeing’ Azure Sentinel Provides Omnipresent Level Security

What’s new: Analytics FileHash entity hits GA!

3 months ago
Enriching Windows Security Events with Parameterized Function

HPC on Microsoft Azure: A Practical Guide

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News