Getting Started with Microsoft Sentinel - Hunt For Threats (Part 2)

By Ashwin Venugopal -

 




To read part 1, please click here




Create a Custom Hunting Query

In order to create a new query:
  1. Select New query.
  2. Fill all the blank fields and choose Create.

    1. Entity mappings can be created by selecting entity types, identifiers, and columns.
    2. Map MITRE ATT&CK techniques to your hunting queries by selecting the tactic, technique, and sub-technique.

To clone and modify existing query

  1. Select the desired hunting query from the table.
  2. Select the ellipses (...) in the line of the query to be modified, and select Clone query.

To modify an existing query

  1. Select the required hunting query from the table. Queries from the custom content can be edited only. Other content sources have to be edited at that source.
  2. Select the ellipses (...) in the line of the query to be modified, and select Edit query.
  3. Now, the Custom query field can be modified with the updated query. The entity mapping techniques can also be modified. 

Create Bookmarks

The unusual and suspicious results can be bookmarked, so that they can be referred in the future. Generally, the events like potential root causes, indicators of compromise, or other notable events are raised as bookmarks. 

  • In the results, the checkboxes for any rows can be marked to preserve. Select Add bookmark to create a record for every marked row, containing the results and the query that created them. Own tags and notes can also be added to each bookmark.

    • Similar to scheduled analytics rules, the bookmarks can be enriched with entity mappings to extract multiple entity types and identifiers, and MITRE ATT&CK technique mappings to use particular tactics and techniques.

    • By default, bookmarks use the same entity and MITRE ATT&CK technique mappings as the hunting query that produced the bookmarked results.

  • Now, click on the Bookmarks tab on the main Hunting page to view all the bookmarked findings and tag them to classify for filtering. 

  • In the details pane, click Investigate to investigate a single bookmarked finding. A listed entity can also be directly selected to view that entity's corresponding entity page.  

An incident can created with the help of one or more bookmarks, or by adding one or more bookmarks to an existing incident.

Use Notebooks to power investigations

Microsoft Sentinel Notebooks are used for more complex hunting and investigations to enhance activity with machine learning, visualizations, and data analysis. They may contain raw data, the code to run on that data, the results, and their visualizations. Notebooks are mostly helpful for large investigations to remember easily, view details, or to save queries and results. 

Jupyter Notebooks are provided to create to create and share notebooks. They are an open-source, interactive development and data manipulation environment, integrated directly in the Microsoft Sentinel Notebooks page. 







To read part 1, please click here

















Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more