6/30/2023 0 Comments Azure sentinelAll the queries you selected are cloned for this new hunt. If you've started with a hypothesis where you've selected queries, select the Hunt actions drop down menu > Create new hunt. There are two primary ways to create a hunt. Select all the queries for that technique. This link takes you to a filtered view of the Queries tab on the Hunting page based on the technique you selected. Select the View link next to Hunting queries at the bottom of the details pane. Select the card with your desired technique. Select Hunting queries in the Simulated filter to see which techniques have hunting queries associated with them. Unselect items in the Active drop-down menu. Navigate to the MITRE ATT&CK (Preview) page. Use predefined hunting queries for specific MITRE ATT&CK techniques as a starting point to develop new detection logic. The MITRE ATT&CK map helps you identify specific gaps in your detection coverage. Search by solution name, or filtering by Source Name of the solution. If you already have a hunt started, select Add to existing hunt (Preview) to add the queries from the solution to an existing hunt.Īlternatively, search for queries from these solutions in the Hunting Queries tab. Once installed, create a hunt directly from the solution by selecting the package > Actions > Create hunt (preview). These results provide initial guidance on the hunt.Ĭontent hub offers threat campaign and domain-based solutions to hunt for specific attacks.įor example, install the "Log4J Vulnerability Detection" or the "Apache Tomcat" solutions from Microsoft. Sort these results by the Results Delta column to see what has changed most recently. Select Add filter > Results > unselect the checkboxes "!", "N/A", "-", and "0" values > Apply Select Run All queries > wait for the queries to execute. With a well-established base of queries installed, running all your queries is the recommended method for identifying potentially malicious behaviors. Navigate to the Hunting page Queries tab. Here are recommendations for preselected queries based on the most common hypotheses. When you create a hunt, initiate it with preselected hunting queries or add queries as you progress. Microsoft Sentinel gives you flexibility as you zero in on the right set of hunting queries to investigate your hypothesis.
0 Comments
Leave a Reply. |