Forum Discussion
MassiveLoops
Feb 10, 2023Copper Contributor
How can I share hunting query results with non-security persons in my org?
Advanced hunting logs have rich data that can be helpful to my orgs help desk for figuring out things like machines that are causing account lockouts for failed logon events and such. I'd like to share query results with them but not give up the access that security reader or even basic defender data reader custom role gives access to (needed for using the 'share query' feature). Has anyone tried piping results of a query into power bi or some other place in 365 for making the results data available to non-security users to search?
- RobinaIron Contributor
One approach to consider is using a reporting tool such as Microsoft Power BI to present the results of your Advanced Hunting queries in a secure and controlled manner.
Here's how you can set this up:
- Create a Power BI report that connects to the Advanced Hunting logs. You can do this by creating a new Power BI report and selecting the "Advanced Hunting" data source.
- Filter the data to show only the information that you want to share with your help desk. For example, you could create a report that shows only the machines that are causing account lockouts for failed logon events.
- Share the Power BI report with your help desk. You can do this by granting them access to the report through the Power BI service, or by embedding the report in a secure SharePoint site that they have access to.
This way, your help desk will have access to the relevant data without having access to the full Advanced Hunting logs, and you can control who has access to the data and what they can see. Additionally, Power BI provides a powerful and flexible reporting platform that you can use to create custom reports and visualizations, so you can tailor the data to meet the specific needs of your help desk.
- MassiveLoopsCopper Contributor
- RobinaIron Contributor
- To filter and extract the pertinent information from your advanced hunting logs, utilise the Kusto Query Language (KQL). Then, export the information to a CSV or Excel file that can be shared with non-security users. The export operator in KQL can be used for this. The query can also be scheduled to run at predetermined intervals, with the results being sent via email to the appropriate parties. check out here Advanced Hunting
- Create a Power BI report that pulls in data from your advanced hunting logs using the Power BI Desktop application. You can use the "Get Data" feature in Power BI to connect to your log data and create custom visualizations that highlight the relevant information. You can then publish the report to the Power BI service and share it with the appropriate individuals in your organization.
Use Azure Sentinel to create a custom dashboard that displays the results of your advanced hunting queries. You can configure the dashboard to only display the information that is relevant to non-security users, and then share the dashboard with those individuals.