Changes in How Running Hunting Queries Works in Azure Sentinel

Unless you’re in the Azure Sentinel console every single day talking about all existing features with customers like I am, you may have missed a slight change in the UI and in operation.

Up until a short while ago, when you went into the Hunting blade in the Azure Sentinel console and clicked the “Run all queries” option — literally ALL available Hunting queries (pages and pages) would run. This changed not too long ago so that only the queries on the viewable page would run. To actually run all available Hunting queries now, you have to progress to each page and rerun the option for each page’s list of queries.

Pages and pages, oodles and oodles

This was a bit confusing since “Run all queries” still seemed to suggest you could RUN ALL QUERIES.

So, the actual action option has now changed to reflect what the capability actually does. It now says…”Run displayed queries.”

Small change

Personally, I still believe the option to RUN ALL QUERIES should be available. This gives the Hunting analyst the ability to continually update their purview with the queries that produce results to watch for anomalies. There’s discussion about this…


[Want to discuss this further? Hit me up on Twitter or LinkedIn]