%3CLINGO-SUB%20id%3D%22lingo-sub-1459972%22%20slang%3D%22en-US%22%3EWhat's%20New%3A%20Livestream%20for%20Azure%20Sentinel%20is%20now%20released%20for%20General%20Availability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1459972%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--1324944303%22%20id%3D%22toc-hId--1324944303%22%3EWhat%20is%20Azure%20Sentinel%20Livestream%3F%26nbsp%3B%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELivestream%20lets%20you%20run%20queries%20that%20refresh%20every%2030%20seconds%20and%20notifies%20you%20of%20any%20new%20results.%26nbsp%3B%20Creating%20a%20livestream%20enables%20you%20to%20(1)%20test%20newly%20created%20queries%20as%20events%20occur%2C%20(2)%20receive%20notifications%20from%20a%20session%20when%20a%20match%20is%20found%2C%20(3)%20promote%20a%20livestream%20to%20a%20detection%20rule%20to%20generate%20incidents%20in%20the%20future%2C%20(4)%20quickly%20launch%20investigations%20if%20necessary.%20You%20can%20quickly%20create%20a%20livestream%20session%20using%20any%20Log%20Analytics%20query.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1162568530%22%20id%3D%22toc-hId-1162568530%22%3EHow%20do%20I%20get%20started%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3ECreate%20a%20livestream%20session%3A%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20the%20Azure%20portal%2C%20navigate%20to%20%3CSTRONG%3ESentinel%20%26gt%3B%20Threat%20management%20%26gt%3B%20Hunting%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3ESelect%20the%20Livestream%20tab.%3C%2FP%3E%0A%3CP%3ESelect%20%E2%80%9C%3CSTRONG%3E%2B%20New%20livestream%3C%2FSTRONG%3E%E2%80%9D%20to%20start%20a%20new%20livestream.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22start_ls.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198475iE805CAEBA47EC22B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22start_ls.gif%22%20alt%3D%22start_ls.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQuery%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3ESecurityEvent%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%7Cwhere%20EventID%20%3D%3D%204625%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20query%20we%E2%80%99re%20asking%20Azure%20Sentinel%20to%20stream%20all%20Windows%20login%20events%20in%20this%20workspace%20where%20the%20event%20ID%20%3D%204625%20(that%E2%80%99s%20for%20when%20an%20account%20fails%20to%20log%20on).%20As%20you%20can%20see%2C%20we%E2%80%99re%20getting%20a%20lot%20of%20events%20here%2C%20and%20they%E2%80%99re%20being%20updated%20every%2030%20seconds%20by%20the%20live%20stream.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EQuickly%20launch%20an%20investigation%3A%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EQuickly%20launch%20an%20investigation%20in%20the%20investigation%20graph%20directly%20from%20your%20livestream%20by%20selecting%20creating%20a%20bookmark%20directly%20from%20livestream.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22bookmark.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198476i39E6DEE143C5F46C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22bookmark.gif%22%20alt%3D%22bookmark.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3ECreate%20a%20new%20detection%3A%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20detect%20there%20is%20a%20change%20in%20the%20threshold%20of%20your%20baseline%20environment%20activities%20as%20monitored%20by%20livestream%2C%20select%20the%20%E2%80%9C%3CSTRONG%3ECreate%20analytics%20rule%3C%2FSTRONG%3E%E2%80%9D%20to%20promote%20your%20livestream%20query%20to%20a%20detection%20analytic%20rule%2C%20enabling%20the%20generation%20of%20incidents%20so%20you%20are%20prepared%20to%20respond%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22promote_ls.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198477i18389F4926A744CE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22promote_ls.gif%22%20alt%3D%22promote_ls.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EResources%3A%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EUse%20hunting%20livestream%20in%20Azure%20Sentinel%20to%20detect%20threats%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Flivestream%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Flivestream%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQuick%20wins%20%26nbsp%3B-%20Proactively%20identify%20signs%20of%20intrusions%20in%20real%20time%20with%20Azure%20Sentinel%20Livestream%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fquick-wins-proactively-identify-signs-of-intrusions-in-real-time%2Fba-p%2F1269745%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fquick-wins-proactively-identify-signs-of-intrusions-in-real-time%2Fba-p%2F1269745%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1459972%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20happy%20to%20announce%20that%20Livestream%20for%20Azure%20Sentinel%20is%20now%20released%20for%20General%20Availability%20(GA)!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1459972%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWhat's%20New%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

What is Azure Sentinel Livestream? 

 

Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results.  Creating a livestream enables you to (1) test newly created queries as events occur, (2) receive notifications from a session when a match is found, (3) promote a livestream to a detection rule to generate incidents in the future, (4) quickly launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

 

How do I get started?

 

Create a livestream session:

In the Azure portal, navigate to Sentinel > Threat management > Hunting.

Select the Livestream tab.

Select “+ New livestream” to start a new livestream.

 

start_ls.gif

 

Query:

SecurityEvent

|where EventID == 4625

 

In this query we’re asking Azure Sentinel to stream all Windows login events in this workspace where the event ID = 4625 (that’s for when an account fails to log on). As you can see, we’re getting a lot of events here, and they’re being updated every 30 seconds by the live stream.

 

Quickly launch an investigation:

Quickly launch an investigation in the investigation graph directly from your livestream by selecting creating a bookmark directly from livestream.

 

bookmark.gif

 

Create a new detection:

 

If you detect there is a change in the threshold of your baseline environment activities as monitored by livestream, select the “Create analytics rule” to promote your livestream query to a detection analytic rule, enabling the generation of incidents so you are prepared to respond in the future.

 

promote_ls.gif

 

Resources:

Use hunting livestream in Azure Sentinel to detect threats

https://docs.microsoft.com/en-us/azure/sentinel/livestream

 

Quick wins  - Proactively identify signs of intrusions in real time with Azure Sentinel Livestream

https://techcommunity.microsoft.com/t5/azure-sentinel/quick-wins-proactively-identify-signs-of-intru...