Tutorial / Cram Notes
These queries help in automating the detection of potential threats by running at specified intervals, which enables a more proactive approach to security monitoring.
To configure built-in scheduled queries in Microsoft’s security tools like Azure Sentinel, follow the steps below:
Step 1: Access and Navigate Azure Sentinel
To begin, log into the Azure portal and select the Azure Sentinel service. Inside Azure Sentinel, identify and select the workspace in which you want to configure the scheduled query.
Step 2: Create or Modify Analytics Rules
Once in the Azure Sentinel dashboard, navigate to ‘Configuration’ and select ‘Analytics’. Here you’ll find a list of existing rules, and the option to create new ones. For built-in scheduled queries, look for templates or existing rules that allow you to schedule a query:
- To modify an existing rule, select the desired rule from the list and click on “Edit”.
- To create a new rule, click on “Create scheduled query rule”.
Step 3: Define the Query and Rule Logic
When creating or editing a rule, you’ll need to define the query that will run on schedule. Use the Kusto Query Language (KQL) to define the query criteria. Below this, you’ll set the logic for the rule, such as:
- The frequency at which the query should run (e.g., every 5 minutes, hourly, daily).
- The period over which data should be collected (e.g., last 6 hours).
Example of a KQL scheduled query to detect potential brute force login attempts:
SigninLogs
| where TimeGenerated > ago(1h)
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > 100
Step 4: Set the Trigger Threshold
Determine the conditions that will trigger a security incident or an alert. This can be based on:
- Number of results: e.g., Alert if the search returns more than 10 results.
- Threshold severity levels: e.g., High, Medium, Low.
Step 5: Configure Incident Settings
You’ll then configure how incidents are created and managed, such as:
- Grouping related alerts into a single incident.
- Assigning incidents to specific teams or users.
- Adding tags to categorize or prioritize incidents.
Step 6: Set the Automated Response (Optional)
Azure Sentinel allows you to set an automated response to a triggered alert. This can range from sending a notification email to invoking a Logic App for more complex workflows.
Step 7: Review and Create the Rule
Finally, review the settings for the scheduled query rule. If everything is configured correctly, click ‘Create’ or ‘Apply’ to save the rule.
Example of an Alert Rule Summary:
| Field | Value |
|---|---|
| Name | Brute Force Detection |
| Description | Detects multiple failed login attempts |
| Severity | High |
| Query Frequency | Every 5 minutes |
| Query Period | Last 6 hours |
| Trigger Threshold | Alert if count > 100 |
| Incident Grouping | Group by UserPrincipalName and IPAddress |
By configuring built-in scheduled queries, Security Operations Analysts can ensure their systems automatically check for suspicious activity and are alerted in real-time, increasing the chances of catching and mitigating threats before they escalate.
In summary, configuring built-in scheduled queries requires accessing the appropriate security service (e.g., Azure Sentinel), defining the query and rule logic, setting the trigger threshold, and determining the response strategy. Doing so effectively will streamline the security monitoring process, allowing analysts to focus their efforts on resolving and investigating critical threats.
Practice Test with Explanation
True or False: Scheduled queries in Microsoft Sentinel can only be run once a day.
- True
- False
Answer: False
Explanation: Scheduled queries in Microsoft Sentinel can be configured to run at various intervals, not just once a day. They are highly customizable regarding how often they execute.
When you configure a scheduled query in Microsoft Sentinel, which of the following is NOT a required component?
- Query definition
- Trigger condition
- Query name
- Data export policy
Answer: Data export policy
Explanation: While query definition, trigger condition, and query name are essential components of a scheduled query, a data export policy is not a required component for configuring scheduled queries in Microsoft Sentinel.
What is the maximum frequency at which a scheduled query can run in Microsoft Sentinel?
- Every minute
- Every 5 minutes
- Every 10 minutes
- Every 15 minutes
Answer: Every 5 minutes
Explanation: The scheduled queries in Microsoft Sentinel can be run as frequently as every 5 minutes, allowing for near real-time monitoring.
True or False: Scheduled queries in Microsoft Sentinel can be used to trigger playbooks automatically.
- True
- False
Answer: True
Explanation: Scheduled queries can be configured to trigger playbooks when certain conditions are met, enabling automated responses to specific events or alerts.
Multiple Select: Which of the following alert severity levels can be assigned to a scheduled query in Microsoft Sentinel?
- Informational
- Low
- High
- Medium
Answer: Low, Medium, High
Explanation: In Microsoft Sentinel, you can assign Low, Medium, or High severity levels to the alerts generated by scheduled queries. Informational is not a default severity level option for alerts in Microsoft Sentinel.
When a scheduled query is triggered, where are the query results typically sent?
- In an email to the security admin
- To a dashboard within Microsoft Sentinel
- To the incident page within Microsoft Sentinel
- None of the above
Answer: To the incident page within Microsoft Sentinel
Explanation: The results of a triggered scheduled query typically appear on the incidents page within Microsoft Sentinel to be reviewed and actioned by security analysts.
True or False: Scheduled queries in Microsoft Sentinel can only be created using the Azure portal.
- True
- False
Answer: False
Explanation: Scheduled queries can be created not only via the Azure portal but also using other interfaces such as PowerShell and Microsoft Sentinel APIs.
In a scheduled query rule in Microsoft Sentinel, what is the purpose of the “Suppression” setting?
- To alert the suppression system of potential false positives
- To prevent the query from executing
- To stop all alerts for the entire workspace
- To temporally prevent alerts from firing if they’ve recently been triggered
Answer: To temporally prevent alerts from firing if they’ve recently been triggered
Explanation: The suppression setting is used to reduce alert fatigue by temporarily preventing alerts from firing if the same alert has recently been triggered.
True or False: In Microsoft Sentinel, scheduled queries can analyze data retrospectively for the past year.
- True
- False
Answer: False
Explanation: While Microsoft Sentinel allows for retrospective analysis, it is not practical to analyze data for the past year with every execution of a scheduled query due to performance and cost considerations. The period of query execution usually covers a much shorter time frame.
To effectively configure a scheduled query in Microsoft Sentinel, which of these should you typically consider?
- The query logic
- The response actions
- Both A and B
- Neither A nor B
Answer: Both A and B
Explanation: When configuring a scheduled query, it is essential to consider both the logic of the query to capture the right events and the response actions to take when a query is triggered, such as playbooks or incident creation.
What is the primary purpose of scheduled query rule analytics in Microsoft Sentinel?
- To visualize log data in charts and graphs
- To schedule data exports to external systems
- To periodically run detection logic against log data and create alerts or incidents
- To back up query results for archival purposes
Answer: To periodically run detection logic against log data and create alerts or incidents
Explanation: Scheduled query rule analytics in Microsoft Sentinel is designed to run detection logic on a schedule and generate alerts or incidents based on the findings, which helps in proactive threat detection and response.
True or False: Scheduled queries in Microsoft Sentinel can be used to query across multiple workspaces.
- True
- False
Answer: True
Explanation: Microsoft Sentinel supports cross-workspace queries, which means scheduled queries can be set up to gather and analyze data from multiple workspaces.
Great post! I’m new to configuring built-in scheduled queries. Any tips for beginners?
Just a quick thanks for this guide.
For SC-200, do I need in-depth knowledge of KQL for configuring these queries?
I had trouble running a scheduled query for Windows Security Logs. Any advice on what might be going wrong?
Appreciate the detailed breakdown provided here.
Is it possible to set alert thresholds for these scheduled queries?
Awesome post! Helped a lot with my SC-200 prep.
Is anyone using custom log formats? How do you integrate them with built-in scheduled queries?