![]() You have probably written a thousand queries that start with something similar to this – Sometableīut you can filter your time data even before writing the rest of your queries, maybe you want to look at 7 days of data, but only between midnight and 4am. We often forget in Sentinel/KQL that we can apply where causes to time in the same way we would any other data, such as usernames, event ids, error codes or any other string data. Searching all your data for a particular event, then filtering down to the last day will be significantly slower than filtering your data to the last day, then finding your particular event. I always try to remember this graphic when writing queries, Azure Sentinel/Log Analytics is highly optimized for log data, so the quicker you can filter down to the time period you care about, the faster your results will be. Some of the operators worth getting familiar with are – ago, between and timespan. ![]() ![]() We can use logic such as hunting for activities before and after a particular event, look for actions only after an event, or even calculate the time between particular events, and use that as a signal. Perhaps particular administrative actions outside of normal business hours would be an indicator of compromise.Īzure Sentinel and KQL have an array of really great operators to help you manipulate and tune your queries to leverage time as an added resource when hunting. Take for example a user setting up a mail forward in Outlook, that may not be inherently suspicious on its own but if it happened not too long after an abnormal sign on, then that would certainly increase the severity. Often when hunting for threats, a combination of events over a certain time period may be added cause for concern, or events happening at certain times of the day are more suspicious to you. Register for the Microsoft Azure Connected Learning Experience and sign up for the MS-Sentinel cram session today.Adversary hunting would be a lot easier if we were always looking for a single event that we knew was malicious, but unfortunately that isn’t always the case. Manage threats using entity behavior analytics.Use Sentinel workbooks to analyze and interpret data.Configure Security Orchestration Automated Response (SOAR) in Sentinel.Perform data classification and normalization.Plan and implement the use of data connectors for ingesting data sources into Sentinel. ![]()
0 Comments
Leave a Reply. |