SOLVED

Azure Sentinel Hunting and Github - HAFNIUM

%3CLINGO-SUB%20id%3D%22lingo-sub-2182022%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Hunting%20and%20Github%20-%20HAFNIUM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182022%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20am%20fairly%20new%20to%20Azure%20Sentinel%20and%20today%20I%20was%20hoping%20to%20take%20advantage%20of%20the%20Hunting%20queries%20in%20GitHub%20mentioned%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Earticle%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThe%20problem%20is%20I%20have%20no%20idea%20on%20how%20to%20take%20something%20from%20GitHub%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDetections%2FW3CIISLog%2FHAFNIUMSuspiciousExchangeRequestPattern.yaml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esuch%20as%20this%20one%3C%2FA%3E)%20and%20create%20a%20new%20hunting%20query%20from%20it%20in%20Sentinel.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThis%20may%20be%20something%20stupid%20simple%20but%20my%20google-fu%20has%20failed%20me.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EAny%20pointers%20would%20be%20very%20much%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182135%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Hunting%20and%20Github%20-%20HAFNIUM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182135%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985269%22%20target%3D%22_blank%22%3E%40BCSecA%3C%2FA%3E%26nbsp%3BWhipped%20this%20up%20real%20quick...let%20me%20know%20if%20this%20helps%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazurecloudai.blog%2F2021%2F03%2F03%2Fhow-to-deploy-a-hunting-query-to-azure-sentinel-from-the-github-repository%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EHow%20to%20Deploy%20a%20Hunting%20Query%20to%20Azure%20Sentinel%20from%20the%20GitHub%20Repository%20%E2%80%93%20Azure%20Cloud%20%26amp%3B%20AI%20Domain%20Blog%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182891%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Hunting%20and%20Github%20-%20HAFNIUM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182891%22%20slang%3D%22en-US%22%3ENow%20that%20I%20thoroughly%20feel%20like%20a%20noob%20thank%20you%20so%20much%20for%20that.%20That%20worked%20like%20a%20charm.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182896%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Hunting%20and%20Github%20-%20HAFNIUM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182896%22%20slang%3D%22en-US%22%3ENo%20worries%20at%20all.%20I%20realized%20after%20you%20asked%2C%20we%20don't%20really%20cover%20it%20anywhere%20in%20the%20docs.%20And%2C%20your%20question%20led%20to%20others.%20You're%20not%20alone.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello everyone,

 

I am fairly new to Azure Sentinel and today I was hoping to take advantage of the Hunting queries in GitHub mentioned in this article

 

The problem is I have no idea on how to take something from GitHub (such as this one) and create a new hunting query from it in Sentinel.

 

This may be something stupid simple but my google-fu has failed me.

 

Any pointers would be very much appreciated.

3 Replies
best response confirmed by BCSecA (New Contributor)
Now that I thoroughly feel like a noob thank you so much for that. That worked like a charm.
No worries at all. I realized after you asked, we don't really cover it anywhere in the docs. And, your question led to others. You're not alone. :)