Use livestream when you need to actively monitor user events, such as if you need to verify whether a specific compromise is still taking place, to help determine a threat actor's next action, and towards the end of an investigation to confirm that the compromise is indeed over.Īfter a compromise: After a compromise or an incident has occurred, make sure to improve your coverage and insight to prevent similar incidents in the future. Results from your proactive hunting provide early insight into events that may confirm that a compromise is in process, or will at least show weaker areas in your environment that are at risk and need attention.ĭuring a compromise: Use livestream to run a specific query constantly, presenting results as they come in. Take proactive action by running any threat-hunting queries related to the data you're ingesting into your workspace at least once a week.
Use queries before, during, and after a compromise to take the following actions:īefore an incident occurs: Waiting on detections is not enough. Queries run on data stored in log tables, such as for process creation, DNS events, or other event types.īuilt-in hunting queries are developed by Microsoft security researchers on a continuous basis, both adding new queries and fine-tuning existing queries to provide you with an entry point to look for new detections and figure out where to start hunting for the beginnings of new attacks. The hunting dashboard provides ready-made query examples designed to get you started and get you familiar with the tables and the query language. You wouldn't want an alert about each time they are run - they could be entirely innocent - but you might want to take a look at the query on occasion to see if there's anything unusual. To help security analysts look proactively for new anomalies that weren't detected by your security apps or even by your scheduled analytics rules, Microsoft Sentinel's built-in hunting queries guide you into asking the right questions to find issues in the data you already have on your network.įor example, one built-in query provides data about the most uncommon processes running on your infrastructure. Microsoft Sentinel has powerful hunting search and query tools to hunt for security threats across your organization's data sources.
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.Īs security analysts and investigators, you want to be proactive about looking for security threats, but your various systems and security appliances generate mountains of data that can be difficult to parse and filter into meaningful events.
0 kommentar(er)
