The official GitHub repository for Azure Sentinel exists at: https://aka.ms/ASGitHub
Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it is a copy/paste operation. This guidance is specific to the Hunting query.
P.S. There’s automated ways to accomplish this, but it’s also a good thing to know for basic understanding. For an automated way, see Wortell’s PowerShell module: AZSentinel/AzSentinel at master ยท wortell/AZSentinel (github.com)
How to do it
Locate a Hunting query you want in the GitHub Repo. Click the “Raw” button on the page to “sanitize” the code. Sanitizing code ensures there’s no hidden characters or bad formatting.
In the Hunting blade in Azure Sentinel, click “New Query.”
Using the sanitized code from the GitHub repo, use the following image (click to enlarge it) to match code information to Hunting query fields and then save the query.
The items in the code (KQL) that I’ve not highlighted in the above image are important for guidance and information, but not used for creating the actual Hunting query.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
One thought on “How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository”