How to Evolve the SOC with Azure Sentinel: Hunting Queries

The evolution of the Security Operations Center (SOC) is important. This process is key to enabling your security teams and your security tools to work more efficiently and more intelligently. Without it your security operations become stagnate and incapable of addressing new threats.

As you know, I spend a lot of time working with and educating our customers about Azure Sentinel. Many of the conversations we have is around SOC efficiency and it somewhat shocks me to hear how their old, legacy tools have made them complacent and are most times incapable of evolving. I’ve worked with a lot of customers who have entered the stagnation phase I eluded to in the first paragraph – to the point of becoming desensitized to new threats.

So, I want to expend a series of blog posts talking about SOC evolution and the various areas in Azure Sentinel that make this operation seamless and less painful. I always enjoy, at the end of this conversation with customers, that they’re impressed enough to incorporate evolution and efficiency back into their security operations. That’s a big win for everyone.

This post’s focus is about turning Hunting queries into Analytics Rules.

What

Did you know you can quickly and easily turn a Hunting query into an Analytics Rule?

Why

Why do you want to do this? Well, think about it. Over time, you will develop new Hunting queries to accomplish identifying potential new threats in your environment. These new threats could have been reported in the news, on blog sites, by a security person on Twitter – from whoever or whatever you have identified as a trusted source. But, as part of your process for Hunting, you need to answer the BIG FOUR questions:

  1. Does it exist?
  2. Where does it exist?
  3. Why does it exist?
  4. How do we respond?

After developing your method and building your response, you run the Hunting query you’ve concocted periodically to expose this data to allow you to monitor for threat’s existence. Over time, you may find as part of this procedure that some of the Hunting queries you created become more important for your overall security monitoring. The data that is returned is consistent and constant. It’s not always a compromise, an intrusion, or a direct threat, but it’s important enough that you want to blend it into your normal alerting and investigation system.

In that case, you can eliminate specific Hunting queries from your manual monitoring operations and turn them into automated analysis. By doing this, the Hunting query takes on the role of an Analytics Rule, which provides for running automatically on a schedule, looking through a specific, defined range of data, and even applying an automated response (using Playbooks).

How

Here’s how to do it…

  1. Locate the Hunting query you want to turn into an Analytics Rule and right-click on it.
  2. Choose “Create analytics rule
Found it!

3. Run through and complete the Analytics Rule wizard. Note that the General tab information and KQL query (rule logic) is automatically transferred to the wizard so you don’t have to recreate everything you’ve worked hard to develop.

Running through the Analytics Rule wizard

4. Go back to the Hunting blade and right-click and delete the old Hunting query. You may decide not to delete the original Hunting query, and that’s OK. Some customers keep them around to use as templates for future Hunting queries. Personally, I choose to delete it. It’s an OCD thing where I have to have everything in neat and in order. But, you do you.

Removing the old Hunting query

By automating a hunt, you’ve effectively improved efficiency and helped evolve the SOC, making it more intelligent and enabling it to work better with the way your specific environment requires.

I’ve seen many customers take full advantage of Azure Sentinel’s SOC evolution processes and build something very unique to the environment that matches exactly what . Azure Sentinel is like the tofu of security tools. It’s a platform that transforms and grows. Based on the data you decide to ingest, the analytics rules you create and enable, the automation you supply, and multitude of other things – utilize Azure Sentinel for 3 months and your implementation will look very different from any other implementation in the world. And that’s a good thing. What other tool can adapt to you like that?

If you’re interested in hearing about more efficiency value with Azure Sentinel specific to Hunting operations, I recently delivered a session on Achieving SOC Operational Efficiency for Azure Sentinel Hunting.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author

One thought on “How to Evolve the SOC with Azure Sentinel: Hunting Queries