Blog Post

Microsoft Sentinel Blog
2 MIN READ

What's New: Livestream for Azure Sentinel is now released for General Availability

JulianGonzalez's avatar
Jun 15, 2020

What is Azure Sentinel Livestream? 

 

Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results.  Creating a livestream enables you to (1) test newly created queries as events occur, (2) receive notifications from a session when a match is found, (3) promote a livestream to a detection rule to generate incidents in the future, (4) quickly launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

 

How do I get started?

 

Create a livestream session:

In the Azure portal, navigate to Sentinel > Threat management > Hunting.

Select the Livestream tab.

Select “+ New livestream” to start a new livestream.

 

 

Query:

SecurityEvent

|where EventID == 4625

 

In this query we’re asking Azure Sentinel to stream all Windows login events in this workspace where the event ID = 4625 (that’s for when an account fails to log on). As you can see, we’re getting a lot of events here, and they’re being updated every 30 seconds by the live stream.

 

Quickly launch an investigation:

Quickly launch an investigation in the investigation graph directly from your livestream by selecting creating a bookmark directly from livestream.

 

 

Create a new detection:

 

If you detect there is a change in the threshold of your baseline environment activities as monitored by livestream, select the “Create analytics rule” to promote your livestream query to a detection analytic rule, enabling the generation of incidents so you are prepared to respond in the future.

 

 

Resources:

Use hunting livestream in Azure Sentinel to detect threats

https://docs.microsoft.com/en-us/azure/sentinel/livestream

 

Quick wins  - Proactively identify signs of intrusions in real time with Azure Sentinel Livestream

https://techcommunity.microsoft.com/t5/azure-sentinel/quick-wins-proactively-identify-signs-of-intrusions-in-real-time/ba-p/1269745

 

Updated Jul 05, 2020
Version 3.0
No CommentsBe the first to comment