Configure custom scheduled queries

Scheduled queries in Azure Sentinel are Kusto Query Language (KQL) queries that run on a set schedule to search for specific conditions. When these queries result in a match – like a threat detection or suspicious behavior – an incident is created. These scheduled queries, also referred to as analytics rules, are a vital component in automating the threat detection process in your Azure environment.

Configuring Custom Scheduled Queries

Follow the process to create and configure a custom schedule query:

Step 1: Create a New Analytics Rule

The first step in setting up a new scheduled query is to establish a new analytics rule. This is done by:

• Navigate to ‘Azure Sentinel’.
• Click ‘Analytics’ under the ‘Configuration’ section.
• Click ‘Create’ and then select ‘Scheduled query rule’.

Step 2: Configure Rule Details

Fill out general information for the new rule such as:

• Name: The title of your rule.
• Description: Details about what the rule is for.
• Severity: The threat order (High, Medium, Low, Informational).
• Status :Toggle whether the rule is enabled or disabled.

Step 3: Configure the Scheduled Query

In the set rule logic tab, fill out:

• Tactics: The stage in the kill chain that your rule addresses.
• Query: The KQL query that will search for your rule condition.
• Run query every: How often the query will run.
• Query Period: The time span on which to run the query.

Here is an example of a scheduled query that checks for any failed logins in the past hour and runs every 5 minutes:

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType!= 0

Step 4: Configure Alert Details

Specify your alert grouping and the threshold for triggering an alert.

• Grouping: Choose how many alerts are created – per rule, or per group.
• Threshold: Define a limit for how many matches in a certain time frame will trigger an alert.

Step 5: Response Automation

Optionally, link Playbooks to your rule to define the automated response when the rule is triggered.

Step 6: Review and Create

Go through your new rule, verify if all details are accurate. If they are, click “Create”.

Scheduled queries enable you to customize your security monitoring and fine tune Azure Sentinel’s automatic detection systems. As an SC-200 Microsoft Security Operations Analyst, you should be able to create and configure custom scheduled queries to fit your monitor needs. Make sure to update and review your scheduled queries periodically to ensure they are staying relevant with evolving threats.

Practice Test

True or False: Custom scheduled queries are not supported in Microsoft Azure.

• True
• False

Answer: False

Explanation: Custom scheduled queries are fully supported in Microsoft Azure. These can be used for tasks like regular status monitoring and problem detection.

What is the main function of configuring custom scheduled queries in Microsoft Azure?

• A. Automate data backup
• B. Provide instant alert on any security breach
• C. Regularly analyze data with custom conditions
• D. Increase storage capacity

Answer: C. Regularly analyze data with custom conditions

Explanation: The primary purpose of configuring scheduled queries in Microsoft Azure is to analyze datasets at regular intervals based on custom conditions.

True or False: You cannot save and share custom scheduled queries in Azure Monitor logs.

• True
• False

Answer: False

Explanation: Azure Monitor Logs not only allows you to create custom scheduled queries, but you can also save them for future use and share with others.

Can you create a custom schedule that allows a query to run every weekday at a specific time in Azure Monitor logs?

• A. Yes
• B. No

Answer: A. Yes

Explanation: Azure Monitor Logs allows you to create a custom schedule where you can run queries at specific intervals including each weekday at a particular time.

True or False: Only the owner of a custom scheduled query can modify it.

• True
• False

Answer: False

Explanation: In Azure, a custom scheduled query can be modified by not only the owner but also the team members with appropriate permissions.

How can you access custom scheduled queries in Azure?

• A. Through Azure Dashboard
• B. By running a script
• C. Using Azure Monitor Logs
• D. All of the above

Answer: C. Using Azure Monitor Logs

Explanation: You primarily access and manage custom scheduled queries from Azure Monitor Logs.

True or False: The results of a custom scheduled query can trigger an alert.

• True
• False

Answer: True

Explanation: The results of a custom scheduled query can indeed trigger an alert. This means if a certain condition is met or breached, an alert will be sent for further action.

Custom scheduled queries are useful for:

• A. Large volume data analysis
• B. Regular monitoring of datasets
• C. Generating regular reports
• D. All of the above

Answer: D. All of the above

Explanation: Custom scheduled queries facilitate the analysis of large amounts of data, regular monitoring of datasets based on conditions, and automated regular reporting.

True or False: In order to schedule a query, you must save your query as a function.

• True
• False

Answer: True

Explanation: Before you can schedule a query, you need to save it as a function. This allows you to reuse it and share it with your team members.

Which Azure service would you use to perform custom scheduled queries?

• A. Microsoft Azure SQL Database
• B. Microsoft Azure Cosmos DB
• C. Microsoft Azure Data Lake
• D. Microsoft Azure Log Analytics

Answer: D. Microsoft Azure Log Analytics

Explanation: Microsoft Azure Log Analytics is the service that provides functionality to analyze data across various sources, which includes the ability to configure custom scheduled queries.

You can use Kusto Query Language (KQL) to write custom scheduled queries in Azure.

• A. True
• B. False

Answer: A. True

Explanation: Kusto Query Language, or KQL, is used to query Azure Monitor Logs, where users can create custom scheduled queries.

How often can you schedule a query to run in Azure Log Analytics?

• A. Once a day
• B. Every hour
• C. Every minute
• D. All of the above

Answer: D. All of the above

Explanation: According to your requirements, you can schedule a query to run as often as once a minute, every hour, or once a day in Azure Log Analytics.

Can custom scheduled queries be set to send emails when certain conditions are met?

• A. Yes
• B. No

Answer: A. Yes

Explanation: Scheduled queries can be configured to send email alerts when the query results meet certain specified conditions.

True or False: Custom scheduled queries can be used to troubleshoot and diagnose issues.

• True
• False

Answer: True

Explanation: Custom scheduled queries can indeed be used to detect and diagnose issues, as they allow for the regular analysis of data and can alert users when certain conditions are met.

Deploying a custom log alert involves specifying a query to run at which frequency?

• A. Weekly
• B. Daily
• C. Monthly
• D. User-defined frequency

Answer: D. User-defined frequency

Explanation: Deploying a custom log alert means defining a query and scheduling it to run at a user-defined frequency. The result of which can also be set to trigger an alert if certain conditions are met.

Interview Questions

What is the purpose of configuring custom scheduled queries in Microsoft Security Operations?

Custom scheduled queries are typically used for monitoring, troubleshooting, and alerting in security operations. They can help in automating repetitive tasks, detecting anomalies, and providing insights into security performances.

How can you create a custom scheduled query in Microsoft Azure Log Analytics?

In Azure Log Analytics, you can create a custom scheduled query by selecting ‘Log Management’, then ‘Logs’ and creating a new query. Once you’ve defined your query, you can schedule it by selecting ‘Schedule query’ from the ‘New alert rule’ pane.

What is the prerequisite to configure custom scheduled queries in Microsoft?

To configure a custom scheduled query, you should have write permissions for the resource group in Microsoft Azure where you’ll create and store the resource for the alert rule.

Can alerts be created based on the results of custom scheduled queries in Log Analytics?

Yes, you can configure alerts based on the results of custom scheduled queries in Log Analytics. These alerts can be triggered when conditions defined in the queries are met.

What actions can be associated with alerts?

Alert actions may include sending emails or SMS messages, invoking Azure Functions, calling webhook URLs, and executing Logic Apps.

Are there limitations to how often a custom log query can run in Azure Monitor?

Yes. The lowest possible frequency for running a custom log query is 5 minutes for metric alerts and 1 minute for log alerts.

How many clauses are present in a Kusto Query Language (KQL) statement required to schedule a query?

A Kusto Query Language (KQL) statement that’s required for scheduling a query consists of two main clauses: the data source and the filter condition.

What is the purpose of time range in log queries for scheduling?

The time range in log queries determines the range of data the query will evaluate each time it’s executed. This is important for accurately triggering alert rules.

How can scheduled logs be viewed in Log Analytics?

In Log Analytics, to view scheduled query results, go to ‘Alerts’, click on the specific alert, and scroll to the ‘Query results’ section.

Can you modify a scheduled query after it is created?

Yes. After creating a scheduled query, you can modify it by navigating to the specific alert under the ‘Alerts’ tab in Log Analytics and clicking ‘Edit alert’.

What is a primary key in Log Analytics scheduled queries?

A primary key in Log Analytics scheduled queries is usually a field that uniquely identifies a log record. Primary keys are often used to correlate records in different tables.

What is the role of aggregation in scheduled queries?

Aggregation in scheduled queries is used to summarize data over a specific time period. This can help to reduce the number of data points for easier analysis and reporting.

How can you test the configuration of a custom scheduled query?

You can test a custom scheduled query by running it in the Logs blade of the Azure portal. This will simulate the evaluation of the alert rule and show you the query results.

How long does Azure Monitor retain log data by default?

Azure Monitor Log Analytics service retains log data for 31 days by default.

What is the cost of Azure Monitor Log Analytics service?

The cost of Azure Monitor Log Analytics service is typically based on the volume of data ingested and the length of data retention. Check official Microsoft Azure pricing for detailed pricing information.