Microsoft Security Operations Analyst (SC-200) certification exam introduces a crucial concept in this domain called ‘Custom Hunting Queries’ using Azure Sentinel’s functionality. These queries provide a mechanism for efficient analyses of large security datasets in a customized manner.
Basics of Custom Hunting Queries
Azure Sentinel allows you to create custom hunting queries using the Kusto Query Language (KQL), the same language utilized for log searches in Azure Monitor and Application Insights. You can build and save custom query expressions to proactively hunt for security threats across your organization’s data sources before an alert is triggered.
Creating Custom Hunting Queries
To define a custom hunting query in Azure Sentinel, follow the steps:
- Navigate to Azure Sentinel > Hunting.
- Select New Query.
- Provide a meaningful name and description for your query.
- In the Query field, enter your KQL statement. Make sure your query includes a tabular expression that produces results.
- Optional: Select a tactic that your query aligns with.
- When you’re ready, click Save.
Example of KQL statement:
// Identify failed logons followed by a successful one from the same IP
let timeframe = 1d;
let threshold = 3;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID in ("4624;4625")
| summarize count() by EventID, IpAddress, Account
| where count_ > threshold
How custom hunting queries help in Security Operations
Creating custom hunting queries in Azure Sentinel provides multiple benefits:
- Uncover Hidden Threats: Custom hunting queries let you proactively search across multiple data sources for complex threats.
- Save and Share Queries: Organizations can save custom hunting queries for repeat use and share them across their security operations team.
- Mapping to MITRE ATT&CK® tactics: Azure Sentinel allows you to align your queries to recognized attack tactics, providing more contextual data.
- Use of Bookmark feature: This feature helps in marking interesting events while exploring, which can be utilized for future reference.
Remember, creating powerful and effective hunting queries is a continuous learning process that evolves with the dynamics of the security landscape and the changing patterns of threats and intrusions. As a Security Operations Analyst, you must hone your skills not only for the certification exam SC-200 but for mastering the critical aspect of preemptive security analysis and threat hunting in real-world scenarios.
Practice Test
True or False: You can use Kusto Query Language (KQL) to create custom hunting queries in Microsoft Defender for Endpoint.
- Answer: True.
Explanation: KQL is the language you use to query against Microsoft 365 Defender data.
Multiple Select: Which of the following are true regarding creating custom hunting queries?
- a) Only administrators can create custom hunting queries.
- b) KQL is the default language for creating these queries.
- c) Custom hunting queries can be used to gather and analyze different security data.
- d) A custom hunting query can analyze data from only one data source.
Answer: b, c
Explanation: Any security analyst with privileges can create a custom hunt query, not only administrators. Also, a custom hunt query can analyze data from multiple sources.
Single Select: What is the primary use case for creating custom hunting queries?
- a) To delete unnecessary data.
- b) To identify abnormal behavior in your environment.
- c) To add additional data sources.
- d) None of the above.
Answer: b
Explanation: The primary use of custom hunting queries is to dig into the data to identify abnormal behavior and potential threats.
True or False: Custom hunting queries can only be created in Defender for Endpoint.
- Answer: False.
Explanation: Custom hunting queries can be created in most of Microsoft’s security tools, including Microsoft 365 Defender and Defender for Identity.
Multiple Select: Which of the following can be included in a hunting query?
- a) A specific user account.
- b) IP addresses.
- c) Device details.
- d) SharePoint content.
Answer: a, b, c.
Explanation: Hunting queries can include a range of data types, including specific user accounts, IP addresses and device details. SharePoint content would be excluded.
Single Select: What language does Microsoft provide reference for when creating custom hunting queries?
- a) SQL
- b) Python
- c) KQL
- d) R
Answer: c
Explanation: Microsoft provides a reference for KQL or Kusto Query Language for creating custom hunting queries.
True or False: You cannot run hunting queries in Azure Sentinel.
- Answer: False.
Explanation: You can indeed run hunting queries in Azure Sentinel to monitor activity across your digital environment.
Single Select: If you want to create a custom hunting query, how many data sources at minimum would you need?
- a) Zero.
- b) One.
- c) Two.
- d) Three.
Answer: b
Explanation: You need to have at least one data source if you want to create a custom hunting query.
True or False: It is not possible to save and reuse custom hunting queries.
- Answer: False.
Explanation: It is possible to save and reuse your custom hunting queries.
Single Select: What role is required to create custom hunting queries in Microsoft 365 Defender?
- a) Global administrator
- b) Security administrator
- c) Security reader
- d) All of the above
Answer: b
Explanation: The Security administrator role is required to create custom hunting queries in Microsoft 365 Defender.
Interview Questions
What is a custom hunting query in relation to Microsoft Security Operations?
A custom hunting query is a personalized set of search parameters run against a data set to analyze security alerts, log files, and other data in Microsoft Security Operations Analyst.
Which language is used to write custom hunting queries in Microsoft Security?
Kusto Query Language (KQL) is used to write custom hunting queries in Microsoft Security.
Why would an analyst use custom hunting queries?
An analyst would use custom hunting queries to investigate anomalies, inspect specific events, or monitor security threats based on specific parameters tailored to the needs of their organization’s security measures.
What type of data sources can be used to run custom hunting queries?
Data sources like security alerts, log files, registry data, network activity, and others provided by Microsoft Defender for Endpoint and Office 365 can be used to run custom hunting queries.
How can analysts share their custom hunting queries with their team?
Analysts can share their custom hunting queries in Microsoft Threat Protection by saving and exporting the query or by using the “Copy to clipboard” option and then sharing via email or other means.
What is the role of the “Let” statement in Kusto Query Language (KQL)?
The “Let” statement in KQL allows for the definition of a named expression that can be used in subsequent parts of the query to represent complex expressions or constants.
Can Custom hunting queries be scheduled to run at regular time intervals?
No, custom hunting queries cannot be scheduled to run at regular intervals. They need to be manually run by the analyst.
What is the purpose of Filter and where clause in KQL?
The purpose of filter and where clause in KQL is to allow the query to limit the data set that is returned based on specific conditions specified in the query.
What is the use of summarizing in custom hunting queries?
Summarizing in custom hunting queries allows the analyst to aggregate data, generate statistics, or perform a calculation on a set of records.
What is a Scalar function in KQL?
Scalar functions in KQL perform an operation on a field value and return a single result value.
How do you save a query in the Advanced hunting section of Microsoft Defender Security Center?
You can save a query by selecting Save query option in the query tab after writing the query.
Can we select a specific time range while running a custom hunting query?
Yes, you can specify a time range for a custom hunting query by adjusting the “Time range” setting at the top of the advanced hunting screen before running the query.
Is there a limit to the number of results returned by a custom hunting query?
Yes, typically by default, a custom hunting query returns a maximum of 10,000 rows per query.
What is the role of the “Project” statement in KQL?
The “Project” statement in KQL is used to select which columns to include, exclude, or rename in the query output.
What is a Tabular expression in KQL?
A Tabular expression in KQL returns a table. It could include a name of a database table, or a sub-query.