Getting Started with Microsoft Sentinel - Hunt For Threats (Part 2)


To read part 1, please click here

Create a Custom Hunting Query

In order to create a new query:
  1. Select New query.
  2. Fill all the blank fields and choose Create.
    1. Entity mappings can be created by selecting entity types, identifiers, and columns.
    2. Map MITRE ATT&CK techniques to your hunting queries by selecting the tactic, technique, and sub-technique.

To clone and modify existing query

  1. Select the desired hunting query from the table.
  2. Select the ellipses (...) in the line of the query to be modified, and select Clone query.

To modify an existing query

  1. Select the required hunting query from the table. Queries from the custom content can be edited only. Other content sources have to be edited at that source.
  2. Select the ellipses (...) in the line of the query to be modified, and select Edit query.
  3. Now, the Custom query field can be modified with the updated query. The entity mapping techniques can also be modified. 

Create Bookmarks

The unusual and suspicious results can be bookmarked, so that they can be referred in the future. Generally, the events like potential root causes, indicators of compromise, or other notable events are raised as bookmarks. 

  • In the results, the checkboxes for any rows can be marked to preserve. Select Add bookmark to create a record for every marked row, containing the results and the query that created them. Own tags and notes can also be added to each bookmark.
    • Similar to scheduled analytics rules, the bookmarks can be enriched with entity mappings to extract multiple entity types and identifiers, and MITRE ATT&CK technique mappings to use particular tactics and techniques.

    • By default, bookmarks use the same entity and MITRE ATT&CK technique mappings as the hunting query that produced the bookmarked results.

  • Now, click on the Bookmarks tab on the main Hunting page to view all the bookmarked findings and tag them to classify for filtering. 

  • In the details pane, click Investigate to investigate a single bookmarked finding. A listed entity can also be directly selected to view that entity's corresponding entity page.  

An incident can created with the help of one or more bookmarks, or by adding one or more bookmarks to an existing incident.

Use Notebooks to power investigations

Microsoft Sentinel Notebooks are used for more complex hunting and investigations to enhance activity with machine learning, visualizations, and data analysis. They may contain raw data, the code to run on that data, the results, and their visualizations. Notebooks are mostly helpful for large investigations to remember easily, view details, or to save queries and results. 

Jupyter Notebooks are provided to create to create and share notebooks. They are an open-source, interactive development and data manipulation environment, integrated directly in the Microsoft Sentinel Notebooks page. 

To read part 1, please click here


Popular posts from this blog

Threat Hunting in Microsoft Sentinel (part 1)

Work with String Data Using KQL Statements

Operational Tasks for Microsoft Sentinel