One crucial skillset is the ability to run hunting queries manually for proactively identifying, investigating, and stopping potential security threats. Candidates appearing for SC-200 Microsoft Security Operations Analyst exam should have a good understanding of this capability.
Before you dive into running hunting queries manually, it is pivotal to cultivate an understanding of the “Kusto Query Language” (KQL): the language used for running queries against Microsoft’s large-scale data platforms like Azure Monitor Logs, Azure Data Explorer (ADX), and others.
Let’s proceed with an understanding of running hunting queries manually.
1. Running hunting queries manually in Microsoft Defender for Endpoint:
Microsoft provides a list of hunting queries in the Microsoft Defender Security Center, which security analysts can use to search across their organization’s data for potential security threats. Here, you can modify these templates or even create your own custom queries from scratch.
For instance, you might want to search for the occurrence of a specific event as follows:
kql
DeviceEvents
| where ActionType == 'AntivirusDetection'
In the above simple KQL example, it’s scanning all event logs for any antivirus detection.
2. Running hunting queries in Azure Sentinel:
Azure Sentinel uses Kusto Query Language (KQL) to run hunting queries. Azure Sentinel’s hunting search page enables security analysts to utilize prepackaged queries or write their own custom queries.
For instance, here’s how you might construct a hunting query to find any login from an IP address marked as risky in Azure Sentinel:
kql
SigninLogs
| where RiskyIPAddress == true
Remember, each entity in the KQL corresponds to a different kind of data collected, and `where` is a clause that lets you filter the results returned by the entity.
3. Running hunting queries in Microsoft 365 Defender:
Microsoft 365 Defender also uses Kusto Query Language to run advanced hunting queries. With Microsoft 365 Defender, you can run hunting queries across your organization’s data, and use them for in-depth investigation.
For example, to look for emails with attachments that have been blocked due to malware, you could use the following query:
kql
EmailAttachmentInfo
| where MalwareFilterVerdict == 'Blocked'
Just like in Azure Sentinel, each entity in these queries refers to a specific type of data recorded.
Comparing the Methodologies:
The main difference between running hunting queries in Microsoft Defender for Endpoint, Azure Sentinel, and Microsoft 365 Defender lies in the data sources and capabilities of each platform. While Microsoft Defender for Endpoint focuses on device-based data and threats, Microsoft 365 Defender focuses on data from across Microsoft 365’s suite of apps. Azure Sentinel, being a more comprehensive platform, can collect data from various sources both inside and outside of Microsoft’s ecosystem, thus offering a broader scope for creating and running hunting queries.
Remember, the entire purpose of these hunting queries is to allow you the chance to spot patterns, identify potential threats, and stay proactive in securing your systems. With a proficient knowledge in KQL and the manual execution of hunting queries, you will be well-equipped to protect your organization’s data effectively.
As you prepare for your SC-200 Microsoft Security Operations Analyst exam, consider these points, practice creating, and running manual hunting queries, until you’re comfortable using these techniques to help keep your network secure.
Practice Test
True or False: Running hunting queries manually on Microsoft SC-200 ensures heightened security due to constant supervision.
- True
- False
Answer: True
Explanation: Running hunting queries manually allows for immediate action on potential security threats and increases the overall effectiveness of security devices and procedures.
In Microsoft SC-200, which option is correct about running a hunting query manually?
- A) It runs automatically without any user intervention.
- B) It requires users to compile queries.
- C) The query only runs when the system detects potential threats.
- D) None of the above.
Answer: B) It requires users to compile queries.
Explanation: Running a hunting query manually in Microsoft SC-200 requires user intervention to create and run the queries.
True or False: Running hunting queries manually once a day is sufficient for best security practices.
- True
- False
Answer: False
Explanation: To ensure continuous protection, it is recommended that hunting queries are run more frequently or use automation whenever possible.
The query language used for hunting queries in Microsoft Defender is:
- A) SQL
- B) Python
- C) Kusto Query Language
- D) Java
Answer: C) Kusto Query Language
Explanation: Microsoft Defender uses the Kusto Query Language (KQL) for writing hunting queries.
When running a hunting query manually, what must a security analyst ensure?
- A) That all security patches have been applied
- B) That the correct query language is used
- C) That the query execution time is minimized
- D) All of the above
Answer: B) That the correct query language is used
Explanation: The success of a hunting query depends on proper syntax and usage of the correct query language (KQL in Microsoft’s case).
True or False: Running hunting queries manually eliminates the need for automated security systems.
- True
- False
Answer: False
Explanation: Manual queries can supplement automated systems, but should not replace them. Both have their own advantages and should be used in tandem for a comprehensive security solution.
Running hunting queries manually can help in detecting which of the following?
- A) Unusual sign-in activity
- B) Suspicious mail forwarding rules
- C) Unusual file shares
- D) All of the above
Answer: D) All of the above
Explanation: Running hunting queries manually can help detect any anomalous or potentially harmful activities within a system, including unusual sign-ins, suspicious forwarding rules, and unexpected file shares.
True or False: Hunting queries can only be run manually.
- True
- False
Answer: False
Explanation: While hunting queries can be run manually for maximum situational control, they can also be automated for continuous monitoring.
What is typically the first step in running a hunting query manually?
- A) Implementing error handling procedures
- B) Checking system logs
- C) Creating a new hunting query
- D) Setting up automatic notifications for potential threats
Answer: C) Creating a new hunting query
Explanation: The first step in running a hunting query manually is usually to create a new hunting query following the correct syntax and requirements.
True or False: Running hunting queries manually does not assist in threat hunting activities.
- True
- False
Answer: False
Explanation: In fact, running hunting queries manually is a critical part of threat hunting activities. It allows analysts to proactively find and mitigate potential security threats.
Interview Questions
How can you run hunting queries manually in Microsoft defender for endpoint?
You can run hunting queries manually in the Microsoft Defender for endpoint using the in-built Advanced hunting feature.
What programming language does Microsoft Defender’s Advanced Hunting feature utilize?
Microsoft Defender’s Advanced Hunting feature utilizes Kusto Query Language (KQL) to run hunting queries.
Which tab within Defender for Endpoint allows you to run hunting queries manually?
The ‘Advanced hunting’ tab within Defender for Endpoint allows you to run hunting queries manually.
Can hunting queries in Microsoft Defender for Endpoint be saved or shared?
Yes, hunting queries in Microsoft Defender for Endpoint can be saved and shared with other members of your organization’s security team for collaborative security effort.
If you create a custom detection rule, what kind of alert does it generate in Microsoft Defender?
If you run a successful hunting query and decide to create a custom detection rule, it will generate an alert in the Microsoft 365 Defender portal.
What is the use of hunting queries in Microsoft Defender?
Hunting queries are typically used in Microsoft Defender to locate potentially harmful entities in the user’s environment, such as threats, vulnerabilities and breaches.
How quickly are hunting query results displayed in Microsoft Defender?
When a hunting query is run manually in Microsoft Defender, the results will appear within a few seconds, allowing for immediate assessment of potential threats.
Is there a limit to the length of a hunting query in Microsoft Defender for endpoint?
Yes, the maximum length of a hunting query in Microsoft Defender for endpoint is 131072 characters.
What types of data sources can you hunt over in Microsoft Defender?
In Microsoft Defender, you can hunt over data sources such as process creation events, network connections, file modifications, logged in users, and more.
Can hunting queries be scheduled in Microsoft Defender for endpoint?
No, hunting queries run in Microsoft Defender for endpoint are typically run manually and not scheduled.
How many days’ worth of data can you access with hunting queries in Microsoft Defender?
With hunting queries in Microsoft Defender, you can access up to 30 days’ worth of data.
How can you modify a hunting query in Microsoft Defender?
To modify a hunting query in Microsoft Defender for endpoint, you can use the Advanced hunting tab, select a saved query, and make changes using KQL.
Can you export hunting query results in Microsoft Defender?
Yes, you can export the results of your hunting queries in Microsoft Defender to a CSV file for further analysis.
Can you use hunting queries in Microsoft Defender to remediate threats?
Yes, if a hunting query identifies a potential threat, you can take immediate action to remediate it directly from the advanced hunting interface.
Which tab in Defender for Endpoint should you click to install threat hunting queries?
You should navigate to the ‘Advanced hunting’ tab, then ‘Saved questions’ to install threat hunting queries.
extutorials.com