Forum Discussion

MassiveLoops's avatar
MassiveLoops
Copper Contributor
Feb 10, 2023

How can I share hunting query results with non-security persons in my org?

Advanced hunting logs have rich data that can be helpful to my orgs help desk for figuring out things like machines that are causing account lockouts for failed logon events and such. I'd like to share query results with them but not give up the access that security reader or even basic defender data reader custom role gives access to (needed for using the 'share query' feature). Has anyone tried piping results of a query into power bi or some other place in 365 for making the results data available to non-security users to search?

  • Robina's avatar
    Robina
    Iron Contributor

    MassiveLoops 

    One approach to consider is using a reporting tool such as Microsoft Power BI to present the results of your Advanced Hunting queries in a secure and controlled manner.

    Here's how you can set this up:

    • Create a Power BI report that connects to the Advanced Hunting logs. You can do this by creating a new Power BI report and selecting the "Advanced Hunting" data source.
    • Filter the data to show only the information that you want to share with your help desk. For example, you could create a report that shows only the machines that are causing account lockouts for failed logon events.
    • Share the Power BI report with your help desk. You can do this by granting them access to the report through the Power BI service, or by embedding the report in a secure SharePoint site that they have access to.

    This way, your help desk will have access to the relevant data without having access to the full Advanced Hunting logs, and you can control who has access to the data and what they can see. Additionally, Power BI provides a powerful and flexible reporting platform that you can use to create custom reports and visualizations, so you can tailor the data to meet the specific needs of your help desk.

    • MassiveLoops's avatar
      MassiveLoops
      Copper Contributor

      Robina thank you for the tip! So, are you talking about making a data source like this in this link or is there some inherent source that I can use. I don't see any "Advanced Hunting" data source when making a new report.

      • Robina's avatar
        Robina
        Iron Contributor

        MassiveLoops  

        • To filter and extract the pertinent information from your advanced hunting logs, utilise the Kusto Query Language (KQL). Then, export the information to a CSV or Excel file that can be shared with non-security users. The export operator in KQL can be used for this. The query can also be scheduled to run at predetermined intervals, with the results being sent via email to the appropriate parties. check out here Advanced Hunting 
        • Create a Power BI report that pulls in data from your advanced hunting logs using the Power BI Desktop application. You can use the "Get Data" feature in Power BI to connect to your log data and create custom visualizations that highlight the relevant information. You can then publish the report to the Power BI service and share it with the appropriate individuals in your organization.
        • Use Azure Sentinel to create a custom dashboard that displays the results of your advanced hunting queries. You can configure the dashboard to only display the information that is relevant to non-security users, and then share the dashboard with those individuals.

         

         

Resources