What's New: Livestream for Azure Sentinel is now released for General Availability
Published Jun 15 2020 07:34 AM 10.9K Views
Microsoft

What is Azure Sentinel Livestream? 

 

Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results.  Creating a livestream enables you to (1) test newly created queries as events occur, (2) receive notifications from a session when a match is found, (3) promote a livestream to a detection rule to generate incidents in the future, (4) quickly launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

 

How do I get started?

 

Create a livestream session:

In the Azure portal, navigate to Sentinel > Threat management > Hunting.

Select the Livestream tab.

Select “+ New livestream” to start a new livestream.

 

start_ls.gif

 

Query:

SecurityEvent

|where EventID == 4625

 

In this query we’re asking Azure Sentinel to stream all Windows login events in this workspace where the event ID = 4625 (that’s for when an account fails to log on). As you can see, we’re getting a lot of events here, and they’re being updated every 30 seconds by the live stream.

 

Quickly launch an investigation:

Quickly launch an investigation in the investigation graph directly from your livestream by selecting creating a bookmark directly from livestream.

 

bookmark.gif

 

Create a new detection:

 

If you detect there is a change in the threshold of your baseline environment activities as monitored by livestream, select the “Create analytics rule” to promote your livestream query to a detection analytic rule, enabling the generation of incidents so you are prepared to respond in the future.

 

promote_ls.gif

 

Resources:

Use hunting livestream in Azure Sentinel to detect threats

https://docs.microsoft.com/en-us/azure/sentinel/livestream

 

Quick wins  - Proactively identify signs of intrusions in real time with Azure Sentinel Livestream

https://techcommunity.microsoft.com/t5/azure-sentinel/quick-wins-proactively-identify-signs-of-intru...

 

Version history
Last update:
‎Jul 05 2020 03:58 AM
Updated by: