How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

The official GitHub repository for Azure Sentinel exists at: https://aka.ms/ASGitHub

Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it is a copy/paste operation. This guidance is specific to the Hunting query.

P.S. There’s automated ways to accomplish this, but it’s also a good thing to know for basic understanding. For an automated way, see Wortell’s PowerShell module: AZSentinel/AzSentinel at master · wortell/AZSentinel (github.com)

How to do it

Locate a Hunting query you want in the GitHub Repo. Click the “Raw” button on the page to “sanitize” the code. Sanitizing code ensures there’s no hidden characters or bad formatting.

Sanitizing the code

In the Hunting blade in Azure Sentinel, click “New Query.”

New query

Using the sanitized code from the GitHub repo, use the following image (click to enlarge it) to match code information to Hunting query fields and then save the query.

Copy/paste matched fields

The items in the code (KQL) that I’ve not highlighted in the above image are important for guidance and information, but not used for creating the actual Hunting query.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author

One thought on “How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository