How to Decipher the Active/Total/New Hunting Queries in Azure Sentinel

Have you ever wondered what the following breakdown in the Hunting blade in Azure Sentinel means?

Huh?

During our live stream of the Microsoft Security Insights podcast Frank asked me about this and it bugged me that I didn’t have an answer. It bugged me so much that I had to dig into it to have a proper response for next time someone asks.

So, here’s the scoop…

The 183 number is the number of Hunting queries I have in my environment that can be run using the Run All Queries option.

The 210 number is the total number of queries. See the discrepancy? Why can’t I run all 210 queries in my environment?

The Hunting feature in Azure Sentinel is smart enough to recognize when I don’t have specific data sources in my environment and will skip running those to help with efficiency and performance.

For example, I’m not monitoring GitHub with Azure Sentinel, hence, (see the following image) I don’t have the GitHubAudit table, hence this query is not necessary for me to use.

Make sense?

Don’t have it

Lastly, the 1 number in the Hunting query breakdown shows the number of new Hunting queries created in the last 30 days. You can click on the new queries number and it will filter the Hunting query results to show just those newly available queries.

Just the new ones

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author