What is Azure Sentinel Livestream?
Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results. Creating a livestream enables you to (1) test newly created queries as events occur, (2) receive notifications from a session when a match is found, (3) promote a livestream to a detection rule to generate incidents in the future, (4) quickly launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.
How do I get started?
Create a livestream session:
In the Azure portal, navigate to Sentinel > Threat management > Hunting.
Select the Livestream tab.
Select “+ New livestream” to start a new livestream.
Query:
SecurityEvent
|where EventID == 4625
In this query we’re asking Azure Sentinel to stream all Windows login events in this workspace where the event ID = 4625 (that’s for when an account fails to log on). As you can see, we’re getting a lot of events here, and they’re being updated every 30 seconds by the live stream.
Quickly launch an investigation:
Quickly launch an investigation in the investigation graph directly from your livestream by selecting creating a bookmark directly from livestream.
Create a new detection:
If you detect there is a change in the threshold of your baseline environment activities as monitored by livestream, select the “Create analytics rule” to promote your livestream query to a detection analytic rule, enabling the generation of incidents so you are prepared to respond in the future.
Resources:
Use hunting livestream in Azure Sentinel to detect threats
https://docs.microsoft.com/en-us/azure/sentinel/livestream
Quick wins - Proactively identify signs of intrusions in real time with Azure Sentinel Livestream
Updated Jul 05, 2020
Version 3.0
JulianGonzalez
Microsoft
Microsoft
