Azure Sentinel Daily Task: Hunting Queries and Bookmarks

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good handle on the ins-and-outs of working with Azure Sentinel. I won’t dig deep into those here, but instead give an overview for this specific daily task.

For customers that want deeper dives for Azure Sentinel, you have a few options:

  1. Sift through our docs platform.
  2. Contact your TAM and ask for me by name. 🙂
  3. Use the following link to access a reference page for our Level-400 training: https://aka.ms/SentinelNinja

In fact, this particular blog series is being developed into a workshop on its own and will also cover the additional, deeper knowledge for taking next steps.

NOTE: Depending on the size of the SOC, the daily task covered here is generally associated with a Tier 1 or Tier 2 analyst. For smaller teams, or environments where there is no dedicated security team, this task may be distributed to anyone who has capability to perform it. BUT, this task should definitely be performed daily.

Digging In

In addition to performing Investigations daily, a Sentinel analyst will want to dig through the list of available Hunting queries to see if there are signs of potential threats.

(click on each image for a larger view)

Notice in the image that there are “gold stars” shown in the Hunting query display. These are Hunting queries that have been identified prior by the analyst as “favorites” or queries that are important to the environment that contain information deemed critical to monitor (It’s easy to set favorite queries just by clicking the star). Every time the analyst accesses the Hunting blade in the Azure Sentinel console these specific queries run automatically, providing the ability to the analyst to perform a quick review of the Results column.

From here, the analyst will want to View Results of the queries that show data returns.

From the query Results window, the analyst will want to search through, find items of interest, select them using the checkboxes, and then create Bookmarks that can be used to investigate or assign to another tier analyst.

After creating the Bookmarks for later review, the analyst may want to execute any Playbooks that have been pre-created and designed to handle any of the specific Hunting results.

Finally, the analyst should review existing Bookmarks to verify age and if new Incidents need to be created.

Again, for customers that want deeper dives for Azure Sentinel, either sift through our docs platform or contact your TAM and ask about our Azure Sentinel workshop/POC.

Authors