Blogs by Ashwin

  To read part 1, please click  here Create a Custom Hunting Query In order to create a new query: Select New query. Fill all the blank fields and choose Create. Entity mappings can be created by selecting entity types, identifiers, and columns. Map MITRE ATT&CK techniques to your hunting queries by selecting the tactic, technique, and sub-technique. To clone and modify existing query Select the desired hunting query from the table. Select the ellipses (...) in the line of the query to be modified, and select Clone query. To modify an existing query Select the required hunting query from the table. Queries from the custom content can be edited only. Other content sources have to be edited at that source. Select the ellipses (...) in the line of the query to be modified, and select Edit query. Now, the Custom query field can be modified with the updated query. The entity mapping techniques can also be modified.  Create Bookmarks The unusual and suspicious results can be bookmarked,

  To read part 2, please click  here Overview Security analysts and investigators always want to be proactive in threat hunting, but, the loads of data generated from various systems and security appliances making it difficult to covert them into meaningful events. Hence, Microsoft Sentinel comes to the rescue with its powerful hunting search and query tools, that are of great help in hunting threats across an organization's vast data sources.  Use Built-in Queries Built-in hunting queries are created by Microsoft security researchers on a continuous basis, simultaneously updating them. These queries can be used before, after, and during a compromise to take the following actions: Before incident occurs- Proactive action should be taken by running threat-hunting queries related to the ingested data at least once a week. Its results will offer early insight into the events confirming any compromise, or weak spots in an environment that are vulnerable.  During a compromise- A livestr

  Overview Microsoft Sentinel runs Playbooks in response to an entire incident, individual alert, or a specific entity. They are a collection of procedures used to automate and orchestrate a response. They can also be run automatically for specific alerts or when incidents are created or updated, by being attached to an automation rule. However, Playbooks can also run manually on-demand for specific incidents, alerts, or entities.  Automation rules helps in triaging the incidents in Microsoft Sentinel. They are used to automatically assign incidents to the right personnel, close noisy incidents or recognize false positives, etc. They are generally used in playbooks to respond to incidents or alerts. Create a Playbook Select Automation from Microsoft Sentinel's navigation menu. Choose Create from the top menu. Under Create, four options are given for creating playbook- For Standard Playbook, choose Blank Playbook, and then follow the steps in the Logic Apps Standard tab. For Consump

  Detect Threats Out-Of-The-Box Now, Microsoft Sentinel is all set to collect all the data from an organization and it will be required to scan that data for any security threat. Hence, Microsoft Sentinel offers templates to create threat detection rules termed as analytics rules.  These analytics rule templates are designed by a team of security experts and analysts, according to the known threats, common attack vectors, and suspicious activity escalation chains. so, the rules created from these templates, automatically search for any anomalies in a network environment. These templates can also be customized accordingly. When the alerts are generated, they create incidents that are further investigated.  View Detections Firstly, go to Analytics > Rules templates tab, which contains all the installed rule templates. Now, to find more rule templates, go to Content hub, in order to install the related product solutions or standalone content. These detections include: Rule Ty

  Get Visualization The overview dashboard gives an idea of the security posture of an organization. Incidents are a group of related alerts that are used to create an actionable incident to investigate and resolve. In Microsoft Sentinel a desired workspace can be selected to monitor.  View Incident Data There are various types of incident data under Incidents. The top left contains the number of new, active, and closed incidents of the last 24 hours. The right left contains the incidents according to severity, and closed incidents by closing classification. There is a graph at the bottom left that breaks up the incident status by creation time in 4 hour intervals. The bottom right consists of the mean time that acknowledges an incident and mean time to close with a link to the SOC efficiency workbook.  View Automation Data There are various types of automation data under Automation. At the top, there is a summary of the automation rules activity, like- Incidents closed by automation,