Azure Sentinel Hunting and Github - HAFNIUM

Hello everyone,

I am fairly new to Azure Sentinel and today I was hoping to take advantage of the Hunting queries in GitHub mentioned in this https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.

The problem is I have no idea on how to take something from GitHub (https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml) and create a new hunting query from it in Sentinel.

This may be something stupid simple but my google-fu has failed me.

Any pointers would be very much appreciated.

Rod_Trent
Mar 03, 2021
BCSecA Whipped this up real quick...let me know if this helps:

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository – Azure Cloud & AI Domain Blog

3 Replies

Rod_Trent
Microsoft
Mar 03, 2021
BCSecA Whipped this up real quick...let me know if this helps:

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository – Azure Cloud & AI Domain Blog
- BCSecA
  Copper Contributor
  Mar 03, 2021
  Now that I thoroughly feel like a noob thank you so much for that. That worked like a charm.
  - Rod_Trent
    Microsoft
    Mar 03, 2021
    No worries at all. I realized after you asked, we don't really cover it anywhere in the docs. And, your question led to others. You're not alone. 🙂

Forum Discussion

Azure Sentinel Hunting and Github - HAFNIUM

3 Replies

Resources