Tutorial / Cram Notes
Before diving into manual query execution, it’s vital to comprehend what hunting queries are. They’re typically written in a query language, such as Kusto Query Language (KQL), and are used to search, aggregate, and analyze data from various sources like logs, network data, and other telemetry.
Kusto Query Language (KQL)
Kusto Query Language is the primary language utilized in Azure Sentinel, Microsoft’s cloud-native SIEM (Security Information and Event Management) platform. KQL allows analysts to write complex queries to filter through large volumes of data efficiently.
Running Hunting Queries in Azure Sentinel
To run a hunting query manually in Azure Sentinel, you follow these steps:
- Navigate to Azure Sentinel: Access the Azure portal, locate Azure Sentinel, and select the appropriate workspace.
- Access Hunting: In the Azure Sentinel navigation pane, click on “Hunting” to access the pre-built and custom queries.
- Select or Create a Query: You can choose from existing hunting queries or create a new one by selecting “+ Add new query”.
- Modify the Query (If Needed): Before running, you can modify the query to adjust its scope or to target specific entities.
- Run the Query: Execute the query by clicking “Run” to start the search process.
- Analyze the Results: Once the query completes, analyze the results to identify any potential security issues.
Example of A Hunting Query
To illustrate, here is a simple example of a hunting query that searches for any login attempts that have failed multiple times within the last 24 hours:
SigninLogs
| where ResultType != “0” // non-successful logins
| where TimeGenerated >= ago(24h)
| summarize Count = count() by UserPrincipalName
| where Count > 5 // looking for more than 5 failed attempts
Comparative Hunting Queries
Security analysts may need to run comparative queries to understand patterns and anomalies over time. Below is a table that contrasts two different hunting queries, showing how queries can be tailored for distinct investigative purposes:
| Purpose | Query |
|---|---|
| Failed Logins Detection | SigninLogs | where ResultType != “0” | where TimeGenerated >= ago(24h) |
| Anomaly Detection (Outliers in Resource Access) | AuditLogs | where OperationName == “Access resource” | summarize Count = count() by ResourceId | where Count > percentile(Count, 95) |
Best Practices for Manual Hunting Queries
When running hunting queries manually, consider the following best practices to improve efficiency and accuracy:
- Understand the Data Sources: Familiarize yourself with the types of data available and the schema of the datasets you are querying.
- Use the Right Filters: Apply filters judiciously to focus your search on the most relevant data points.
- Leverage Aggregations and Summarization: Summarize data to get a clear picture of trends and patterns.
- Continuously Improve Queries: As you identify new threats or false positives, refine your queries to enhance their precision.
- Documentation: Document your findings and the rationale behind the query adjustments to maintain a record of the investigative process.
Conclusion
In the realm of security operations, the skill to construct and run hunting queries manually is invaluable. The SC-200 exam underscores the importance of understanding how to write effective KQL queries, interpret the results, and customize queries to fit the investigative needs of the security analyst. By employing these manual hunting techniques, security professionals can proactively detect and address threats, reinforcing the organization’s overall security posture.
Practice Test with Explanation
True or False: In Microsoft 365 Defender, you can create custom hunting queries using Kusto Query Language (KQL).
- A) True
- B) False
Answer: A) True
Explanation: Custom hunting queries can indeed be created using Kusto Query Language within the Microsoft 365 Defender portal to search for potential security threats across data sources.
What type of data sources can be queried using hunting queries in Microsoft 365 Defender?
- A) Email data
- B) Device data
- C) Network data
- D) All of the above
Answer: D) All of the above
Explanation: Hunting queries in Microsoft 365 Defender can be used to query across multiple data sources such as email, device, and network data to identify threats.
Which of the following is not a capability of hunting queries in Microsoft 365 Defender?
- A) Scheduled execution
- B) Real-time alerts
- C) Exporting results to a CSV file
- D) Automatic remediation actions based solely on the query results
Answer: D) Automatic remediation actions based solely on the query results
Explanation: While hunting queries can help identify threats, they do not automatically trigger remediation actions without further analysis or confirmation of the threat.
True or False: Hunting queries in Microsoft 365 Defender are limited to pre-defined templates and cannot be customized.
- A) True
- B) False
Answer: B) False
Explanation: Users are not limited to pre-defined templates and can create custom hunting queries to meet specific needs.
How often can you schedule hunting queries to run in Microsoft 365 Defender?
- A) Hourly
- B) Daily
- C) Weekly
- D) Cannot be scheduled; must be run manually
Answer: B) Daily
Explanation: In Microsoft 365 Defender, you can schedule hunting queries to run on a daily basis.
True or False: To run a hunting query manually, you must have the appropriate permissions assigned within Microsoft 365 Defender.
- A) True
- B) False
Answer: A) True
Explanation: Appropriate permissions are required to run hunting queries manually in Microsoft 365 Defender, ensuring that only authorized personnel can execute and view results from such queries.
In the context of Microsoft 365 Defender, what is the purpose of running hunting queries?
- A) To generate compliance reports
- B) To hunt for potential security threats and anomalous behavior
- C) To configure security policies and access controls
- D) To check for software updates and patches
Answer: B) To hunt for potential security threats and anomalous behavior
Explanation: The primary purpose of running hunting queries is to proactively search for possible security issues and unusual activities that may indicate a threat.
True or False: Results from hunting queries in Microsoft 365 Defender can be shared directly with Azure Sentinel for further analysis.
- A) True
- B) False
Answer: A) True
Explanation: Results from hunting queries can be shared with Azure Sentinel, allowing for a deeper and more integrated analysis across security tools.
What is the role of threat intelligence in crafting hunting queries in Microsoft 365 Defender?
- A) To inform query syntax and structure
- B) To provide contextual information and indicators related to known threats
- C) To enforce security policies and compliance
- D) Threat intelligence is not used in hunting queries
Answer: B) To provide contextual information and indicators related to known threats
Explanation: Threat intelligence plays a key role in crafting effective hunting queries by providing relevant context and indicators of compromise associated with known security threats.
Which of the following statements is true regarding hunting queries in Microsoft 365 Defender?
- A) They can only be executed during off-peak hours.
- B) They may produce false positives that require further investigation.
- C) They automatically block threats without the need for manual intervention.
- D) Only a single result set can be returned from each hunting query.
Answer: B) They may produce false positives that require further investigation.
Explanation: While hunting queries are a powerful tool for identifying potential threats, they may also yield false positives, necessitating additional scrutiny.
True or False: It is recommended to run hunting queries against as much historical data as possible to ensure no threat is missed.
- A) True
- B) False
Answer: B) False
Explanation: While it is important to run hunting queries against relevant historical data, querying excessively large datasets may lead to performance issues and is not always practical or necessary. Queries should be balanced between depth of history and performance.
Great post! The breakdown on running manual hunting queries was super helpful.
I love the detailed steps provided for creating KQL queries. Really useful for the SC-200 exam prep.
One thing I noticed is the importance of understanding data tables and their schemas. Any tips on memorizing these?
How often should we practice these queries to stay effective in the role?
Is it true that KQL is case-sensitive in certain parts? Can someone elaborate on this?
This blog post is one of the best resources I’ve come across. Thanks a lot!
I’m struggling with understanding the JOIN operator in these queries. Could someone explain how it works?
Thanks for sharing such valuable information on manual hunting queries!