Azure Sentinel Hunting is based off queries. It allows for manual, proactive investigations into possible security threats based on the ingested data as well as retroactive pursuits of attacks and root cause analysis. Hunting consists of several capabilities:
- Queries: Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic rule to run on a schedule.
- Bookmarks: Lets you save items discovered across queries, workbooks, and other activities for later investigations or incidents
- Livestream: Live, interactive sessions that uses queries and provides results in real time as they occur
- Notebooks: Provides guided step-by-step hunting and investigation workflows that can be reused
Queries are based on Kusto Query Language (KQL). These can be very simple queries to extremely complex, specific use case scenarios. To get started, in the Azure Sentinel Portal, go to Hunting. You can run one or all the built-in queries or click New Query to create a new custom query.
When building a query, if you are not familiar with the data types available in Azure Sentinel, you can use the left side of the page to view the available tables and filters to assist with creating the correct query. While typing, you are provided an ISE-like experience to help define your query. In addition to the built-in queries provided by Microsoft, there are many examples on GitHub and other online sources. Having some idea of what you are hunting will help draft these queries.
While queries help discover activity that has already occurred and ingested, hunting using livestream allows you to create an interactive session and actively run queries to find any activities you are searching for, malicious or not. When an alert occurs, you will receive an Azure Portal notification. Each session can also be used to create an analytic alert rule by clicking Elevate to alert.
At some point in your Azure Sentinel journey, the built-in and community provided queries may not meet your organizational requirements or provide the specific use case scenario you are hunting for. You will have to create a query for yourself. Azure utilizes KQL or Kusto Query Language. A KQL query is a read-only request to process data and return results.
Azure Sentinel and KQL make use primarily of Tabular expression statements, which is a composition of data sources (Tables), data operators (filters such as where), and rendering operators (such as count). Each request is separated by the pipe character (|). Most of the syntax, particularly the tables, are case-sensitive.
Query Best Practices
Creating your own queries from scratch can be a daunting and intimidating task. The following suggestions are best practices to get started creating queries from scratch. There are many best practices as well as other preferred ways to go about creating queries. While these certainly apply to all queries, simply and complex, these are meant for those who are just starting to learn the language and will help to prevent an overwhelming feeling of complexity until you are more comfortable with the language.
- Start small. Building a massive multi-line query from scratch will lead to syntax errors and other issues.
- Build your query one line at a time and continue to add filters as needed
- Run your query as you build it to validate you are obtaining the intended data
- Use limit or count at the end to validate number of results.
- Remove when satisfied with the results
- Use time filters with the first-row table selection or first filter using where
- Use filters on tables or columns, not on operators or calculated columns via expression
- Do not use (or limit use) of wildcard (*) characters
- Combine two simply queries with join operator rather than trying a more complex query
- Use Comments (//) to make notes about your query
However, if you do wish to have some guidance and assistance, Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.