Azure Sentinel - Hunting
Hunting 是集成了很多微软默认提供的能针对很多通用场景的 Kusto 查询语句, 用来给用户提供一些参考.
运行所有查询语句
进入 Azure Sentinel, 选择相应的LA workspace,左侧点击 Hunting
默认有很多已经提供的查询, 可以点击 run all queries 来进行所有查询;
查看其中一个查询:
查询之后, 产生的参考结果如下:
用户Logon行为分析
<P>SecurityEvent
<P>| where EventID == 4624
<P>| where TimeGenerated >= ago(3d)
<P>| where Computer startswith "DC01" or Computer startswith "DC03" or Computer
startswith "DC04"
<P>| where LogonTypeName <> "3 - Network"
<P>| where Account !endswith "$" and Account != @"NT AUTHORITY\LOCAL SERVICE"
and Account != @"NT AUTHORITY\SYSTEM"
<P>| summarize count() by Computer, Account, LogonTypeName</P>示例输出:
用户自定义查询语句
在门户顶部点击 Azure Sentinel – Hunting 回到 Hunting 面板.
自定义新query:
<P>Custom query:
<P>SigninLogs
<P>| where ClientAppUsed in ('Other clients; Older office clients', 'Other
clients', 'Other clients; IMAP', 'Other clients; POP', 'Other clients; SMTP')
<P>| where TimeGenerated >ago(30d)
<P>| summarize count() by UserPrincipalName, IPAddress, ClientAppUsed</P>点击创建, 并在portal上查看;
点击 Run all queries 将新建的query添加到所有queries中.
点击新创建的query, 点击 Run Query 和 View Results.
通过结果, 可以查看具体来源访问的ip, 通信协议等等;
参考资料:
