What’s new: Hunting dashboard refresh

Published 05-12-2021 05:55 AM 1,488 Views
Microsoft

Proactive Threat Hunting

As security analysts and investigators, you want to be proactive about looking for security threats, but your systems and security appliances generate mountains of data that can be difficult to parse and filter into meaningful events.  This is where hunting with Azure Sentinel can help.

 

Hunting Dashboard Refresh

Now in preview, we refreshed the hunting query experience to help you find undetected threats in your environment more quickly. We also provide new ways to identify which hunting results are most relevant to your environment and your desired attack scenarios.

 

HD RSA Blog 1.png

 

 

You can now run all your hunting queries, or a selected subset, in a single click.  You can look at the “Result count / queries run” metric counts to see your progress. This can be very helpful when running many queries across large data sets.

 

HD RSA Blog 2.png

 

 

To get a fine-grained view of which results to examine, you can search for or filter results based on specific MITRE ATT&CK Techniques. You can also see which results have changed the most in the last 24 hours using the new “results deltas” field to identify spikes of activity. 

 

HD RSA Blog 3.png

 

 

As you narrow down which query and results you want to look at, the new MITRE ATT&CK tactic bar totals update to show which MITRE ATT&CK tactics apply. This is an easy way to see which tactics show up when you filter by a given result count, high result delta, or any other set of filters.

 

HD RSA Blog 5.png

 

 

We are always adding more hunting content. So be sure to check out our Github repository to see the latest hunting queries. We will appreciate your feedback and look forward to growing our hunting community together.

 

Further Reading

%3CLINGO-SUB%20id%3D%22lingo-sub-2333515%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20new%3A%20Hunting%20dashboard%20refresh%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2333515%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%226%22%3EProactive%20Threat%20Hunting%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAs%20security%20analysts%20and%20investigators%2C%20you%20want%20to%20be%20proactive%20about%20looking%20for%20security%20threats%2C%20but%20your%20systems%20and%20security%20appliances%20generate%20mountains%20of%20data%20that%20can%20be%20difficult%20to%20parse%20and%20filter%20into%20meaningful%20events.%20%26nbsp%3BThis%20is%20where%20hunting%20with%20Azure%20Sentinel%20can%20help.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%226%22%3EHunting%20Dashboard%20Refresh%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ENow%20in%20preview%2C%20we%20refreshed%20the%20hunting%20query%20experience%20to%20help%20you%20find%20undetected%20threats%20in%20your%20environment%20more%20quickly.%20We%20also%20provide%20new%20ways%20to%20identify%20which%20hunting%20results%20are%20most%20relevant%20to%20your%20environment%20and%20your%20desired%20attack%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22HD%20RSA%20Blog%201.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F278957i5701A97138EE65F4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22HD%20RSA%20Blog%201.png%22%20alt%3D%22HD%20RSA%20Blog%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20now%20run%20all%20your%20hunting%20queries%2C%20or%20a%20selected%20subset%2C%20in%20a%20single%20click.%20%26nbsp%3BYou%20can%20look%20at%20the%20%E2%80%9CResult%20count%20%2F%20queries%20run%E2%80%9D%20metric%20counts%20to%20see%20your%20progress.%20This%20can%20be%20very%20helpful%20when%20running%20many%20queries%20across%20large%20data%20sets.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22HD%20RSA%20Blog%202.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F278958i145623D263356B28%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22HD%20RSA%20Blog%202.png%22%20alt%3D%22HD%20RSA%20Blog%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20get%20a%20fine-grained%20view%20of%20which%20results%20to%20examine%2C%20you%20can%20search%20for%20or%20filter%20results%20based%20on%20specific%20MITRE%20ATT%26amp%3BCK%20Techniques.%20You%20can%20also%20see%20which%20results%20have%20changed%20the%20most%20in%20the%20last%2024%20hours%20using%20the%20new%20%E2%80%9Cresults%20deltas%E2%80%9D%20field%20to%20identify%20spikes%20of%20activity.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22HD%20RSA%20Blog%203.png%22%20style%3D%22width%3A%20501px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F278959i9D2EFF980D9DFAAC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22HD%20RSA%20Blog%203.png%22%20alt%3D%22HD%20RSA%20Blog%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20narrow%20down%20which%20query%20and%20results%20you%20want%20to%20look%20at%2C%20the%20new%20MITRE%20ATT%26amp%3BCK%20tactic%20bar%20totals%20update%20to%20show%20which%20MITRE%20ATT%26amp%3BCK%20tactics%20apply.%20This%20is%20an%20easy%20way%20to%20see%20which%20tactics%20show%20up%20when%20you%20filter%20by%20a%20given%20result%20count%2C%20high%20result%20delta%2C%20or%20any%20other%20set%20of%20filters.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22HD%20RSA%20Blog%205.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F278960iC5433AEC7C9594CC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22HD%20RSA%20Blog%205.png%22%20alt%3D%22HD%20RSA%20Blog%205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20always%20adding%20more%20hunting%20content.%20So%20be%20sure%20to%20check%20out%20our%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FHunting%2520Queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGithub%20repository%3C%2FA%3E%20to%20see%20the%20latest%20hunting%20queries.%20We%20will%20appreciate%20your%20feedback%20and%20look%20forward%20to%20growing%20our%20hunting%20community%20together.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%226%22%3EFurther%20Reading%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EHunting%20capabilities%20in%20Azure%20Sentinel%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fhunting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fhunting%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20Sentinel%20Hunting%20Queries%20on%20Github%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FHunting%2520Queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FHunting%2520Queries%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2333515%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20refreshed%20the%20hunting%20query%20experience%20to%20help%20you%20find%20undetected%20threats%20more%20quickly%20and%20identify%20which%20hunting%20results%20are%20most%20relevant%20to%20your%20environment.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎May 06 2021 05:07 PM
Updated by: