Tutorial / Cram Notes

These queries help in automating the detection of potential threats by running at specified intervals, which enables a more proactive approach to security monitoring.

To configure built-in scheduled queries in Microsoft’s security tools like Azure Sentinel, follow the steps below:

Step 1: Access and Navigate Azure Sentinel

To begin, log into the Azure portal and select the Azure Sentinel service. Inside Azure Sentinel, identify and select the workspace in which you want to configure the scheduled query.

Step 2: Create or Modify Analytics Rules

Once in the Azure Sentinel dashboard, navigate to ‘Configuration’ and select ‘Analytics’. Here you’ll find a list of existing rules, and the option to create new ones. For built-in scheduled queries, look for templates or existing rules that allow you to schedule a query:

  • To modify an existing rule, select the desired rule from the list and click on “Edit”.
  • To create a new rule, click on “Create scheduled query rule”.

Step 3: Define the Query and Rule Logic

When creating or editing a rule, you’ll need to define the query that will run on schedule. Use the Kusto Query Language (KQL) to define the query criteria. Below this, you’ll set the logic for the rule, such as:

  • The frequency at which the query should run (e.g., every 5 minutes, hourly, daily).
  • The period over which data should be collected (e.g., last 6 hours).

Example of a KQL scheduled query to detect potential brute force login attempts:

SigninLogs
| where TimeGenerated > ago(1h)
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > 100

Step 4: Set the Trigger Threshold

Determine the conditions that will trigger a security incident or an alert. This can be based on:

  • Number of results: e.g., Alert if the search returns more than 10 results.
  • Threshold severity levels: e.g., High, Medium, Low.

Step 5: Configure Incident Settings

You’ll then configure how incidents are created and managed, such as:

  • Grouping related alerts into a single incident.
  • Assigning incidents to specific teams or users.
  • Adding tags to categorize or prioritize incidents.

Step 6: Set the Automated Response (Optional)

Azure Sentinel allows you to set an automated response to a triggered alert. This can range from sending a notification email to invoking a Logic App for more complex workflows.

Step 7: Review and Create the Rule

Finally, review the settings for the scheduled query rule. If everything is configured correctly, click ‘Create’ or ‘Apply’ to save the rule.

Example of an Alert Rule Summary:

Field Value
Name Brute Force Detection
Description Detects multiple failed login attempts
Severity High
Query Frequency Every 5 minutes
Query Period Last 6 hours
Trigger Threshold Alert if count > 100
Incident Grouping Group by UserPrincipalName and IPAddress

By configuring built-in scheduled queries, Security Operations Analysts can ensure their systems automatically check for suspicious activity and are alerted in real-time, increasing the chances of catching and mitigating threats before they escalate.

In summary, configuring built-in scheduled queries requires accessing the appropriate security service (e.g., Azure Sentinel), defining the query and rule logic, setting the trigger threshold, and determining the response strategy. Doing so effectively will streamline the security monitoring process, allowing analysts to focus their efforts on resolving and investigating critical threats.

Practice Test with Explanation

True or False: Scheduled queries in Microsoft Sentinel can only be run once a day.

  • True
  • False

Answer: False

Explanation: Scheduled queries in Microsoft Sentinel can be configured to run at various intervals, not just once a day. They are highly customizable regarding how often they execute.

When you configure a scheduled query in Microsoft Sentinel, which of the following is NOT a required component?

  • Query definition
  • Trigger condition
  • Query name
  • Data export policy

Answer: Data export policy

Explanation: While query definition, trigger condition, and query name are essential components of a scheduled query, a data export policy is not a required component for configuring scheduled queries in Microsoft Sentinel.

What is the maximum frequency at which a scheduled query can run in Microsoft Sentinel?

  • Every minute
  • Every 5 minutes
  • Every 10 minutes
  • Every 15 minutes

Answer: Every 5 minutes

Explanation: The scheduled queries in Microsoft Sentinel can be run as frequently as every 5 minutes, allowing for near real-time monitoring.

True or False: Scheduled queries in Microsoft Sentinel can be used to trigger playbooks automatically.

  • True
  • False

Answer: True

Explanation: Scheduled queries can be configured to trigger playbooks when certain conditions are met, enabling automated responses to specific events or alerts.

Multiple Select: Which of the following alert severity levels can be assigned to a scheduled query in Microsoft Sentinel?

  • Informational
  • Low
  • High
  • Medium

Answer: Low, Medium, High

Explanation: In Microsoft Sentinel, you can assign Low, Medium, or High severity levels to the alerts generated by scheduled queries. Informational is not a default severity level option for alerts in Microsoft Sentinel.

When a scheduled query is triggered, where are the query results typically sent?

  • In an email to the security admin
  • To a dashboard within Microsoft Sentinel
  • To the incident page within Microsoft Sentinel
  • None of the above

Answer: To the incident page within Microsoft Sentinel

Explanation: The results of a triggered scheduled query typically appear on the incidents page within Microsoft Sentinel to be reviewed and actioned by security analysts.

True or False: Scheduled queries in Microsoft Sentinel can only be created using the Azure portal.

  • True
  • False

Answer: False

Explanation: Scheduled queries can be created not only via the Azure portal but also using other interfaces such as PowerShell and Microsoft Sentinel APIs.

In a scheduled query rule in Microsoft Sentinel, what is the purpose of the “Suppression” setting?

  • To alert the suppression system of potential false positives
  • To prevent the query from executing
  • To stop all alerts for the entire workspace
  • To temporally prevent alerts from firing if they’ve recently been triggered

Answer: To temporally prevent alerts from firing if they’ve recently been triggered

Explanation: The suppression setting is used to reduce alert fatigue by temporarily preventing alerts from firing if the same alert has recently been triggered.

True or False: In Microsoft Sentinel, scheduled queries can analyze data retrospectively for the past year.

  • True
  • False

Answer: False

Explanation: While Microsoft Sentinel allows for retrospective analysis, it is not practical to analyze data for the past year with every execution of a scheduled query due to performance and cost considerations. The period of query execution usually covers a much shorter time frame.

To effectively configure a scheduled query in Microsoft Sentinel, which of these should you typically consider?

  • The query logic
  • The response actions
  • Both A and B
  • Neither A nor B

Answer: Both A and B

Explanation: When configuring a scheduled query, it is essential to consider both the logic of the query to capture the right events and the response actions to take when a query is triggered, such as playbooks or incident creation.

What is the primary purpose of scheduled query rule analytics in Microsoft Sentinel?

  • To visualize log data in charts and graphs
  • To schedule data exports to external systems
  • To periodically run detection logic against log data and create alerts or incidents
  • To back up query results for archival purposes

Answer: To periodically run detection logic against log data and create alerts or incidents

Explanation: Scheduled query rule analytics in Microsoft Sentinel is designed to run detection logic on a schedule and generate alerts or incidents based on the findings, which helps in proactive threat detection and response.

True or False: Scheduled queries in Microsoft Sentinel can be used to query across multiple workspaces.

  • True
  • False

Answer: True

Explanation: Microsoft Sentinel supports cross-workspace queries, which means scheduled queries can be set up to gather and analyze data from multiple workspaces.

Interview Questions

QA updating…
0 0 votes
Article Rating
Subscribe
Notify of
guest
14 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Vladoje Bekić
1 year ago

Great post! I’m new to configuring built-in scheduled queries. Any tips for beginners?

Elmer Gordon
1 year ago

Just a quick thanks for this guide.

Silata Donec
2 years ago

For SC-200, do I need in-depth knowledge of KQL for configuring these queries?

Zdenka Balzer
1 year ago

I had trouble running a scheduled query for Windows Security Logs. Any advice on what might be going wrong?

Emil Møller
1 year ago

Appreciate the detailed breakdown provided here.

Renee Perry
2 years ago

Is it possible to set alert thresholds for these scheduled queries?

Theo Clark
11 months ago

Awesome post! Helped a lot with my SC-200 prep.

Brooke Thomas
1 year ago

Is anyone using custom log formats? How do you integrate them with built-in scheduled queries?

14
0
Would love your thoughts, please comment.x
()
x