You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sentinel-analytic-rules-creation.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,7 +55,7 @@ This field is mandatory.
55
55
56
56
### Name
57
57
58
-
The `name` attribute provides a brief label that summarizes the detection. Make sure the label is clear and concise to help users understand the purpose of the rule. Use `alertDetailsOverride` to generate dynamic names to aid analysts in understanding the alert. See the following requirements:
58
+
The `name` attribute provides a brief label that summarizes the detection. Make sure the label is clear and concise to help users understand the purpose of the rule. Use `alertDetailsOverride` to generate dynamic names to help analysts understand the alert. See the following requirements:
59
59
60
60
* Uses sentence-case capitalization
61
61
* Doesn't end in a period
@@ -166,7 +166,7 @@ Limit the query to 10,000 characters. If the query section exceeds this limit, c
166
166
167
167
Each line in the query body must have at least one space at the beginning, but two spaces are standard to support readability.
168
168
169
-
If you're submitting a query for a datatype that isn't present in the Detections or Hunting Queries folder, name the subfolder that contains the YAML files after the table being queried. For instance, if your query pertains to the `AzureDevOpsAuditing` table, create a folder named `AzureDevOpsAuditing`.
169
+
When you submit a query for a datatype that isn't present in the Detections or Hunting Queries folder, name the subfolder that contains the YAML files after the table being queried. For instance, if your query pertains to the `AzureDevOpsAuditing` table, create a folder named `AzureDevOpsAuditing`.
170
170
171
171
Define human-readable names for explicit constants:
Copy file name to clipboardExpand all lines: articles/sentinel/sentinel-hunting-rules-creation.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,11 +22,11 @@ This article walks you through the process of creating and publishing hunting qu
22
22
23
23
Hunting queries in Microsoft Sentinel are used in various scenarios to enhance threat detection and response. Common use cases include:
24
24
25
-
***Detecting suspicious user activity**: Security teams can use hunting queries to identify anomalous behavior such as unusual sign-in attempts, access patterns, or privilege-escalation activities. By analyzing user activity logs, analysts can detect potential insider threats or compromised accounts.
26
-
***Identifying malware and ransomware infections**: Hunting queries can help detect signs of malware or ransomware infections by scanning for known indicators of compromise (IoCs), unusual network traffic patterns, or file integrity changes. This proactive approach enables teams to respond quickly to mitigate the impact of an infection.
27
-
***Monitoring network anomalies**: To identify potential breaches, you can analyze network traffic for unusual patterns, such as unexpected data transfers or communication with known malicious IP addresses. Hunting queries enable analysts to pinpoint these anomalies and investigate further.
28
-
***Investigating phishing attacks**: Hunting queries can be used to detect phishing attempts by analyzing email logs and identifying suspicious links or attachments. Hunting queries can correlate these findings with threat intelligence data. This helps prevent credential theft and protect sensitive information.
29
-
***Tracking lateral movement**: After an attacker gains initial access, they can move laterally within the network to escalate privileges or access critical systems. Hunting queries can track these movements by analyzing sign-in events, remote desktop sessions, and other relevant data to detect and disrupt the attack.
25
+
***Detect suspicious user activity**: Security teams can use hunting queries to identify anomalous behavior such as unusual sign-in attempts, access patterns, or privilege-escalation activities. By analyzing user activity logs, analysts can detect potential insider threats or compromised accounts.
26
+
***Identify malware and ransomware infections**: Hunting queries can help you detect signs of malware or ransomware infections because they scan for known indicators of compromise (IoCs), unusual network traffic patterns, or file integrity changes. This proactive approach enables teams to respond quickly to mitigate the impact of an infection.
27
+
***Monitor network anomalies**: To identify potential breaches, you can analyze network traffic for unusual patterns, such as unexpected data transfers or communication with known malicious IP addresses. Hunting queries enable analysts to pinpoint these anomalies and investigate further.
28
+
***Investigate phishing attacks**: Hunting queries can help you detect phishing attempts because they analyze email logs and identify suspicious links or attachments. Hunting queries can correlate these findings with threat intelligence data. This process helps you prevent credential theft and protect sensitive information.
29
+
***Track lateral movement**: After an attacker gains initial access, they can move laterally within the network to escalate privileges or access critical systems. Hunting queries can track these movements by analyzing sign-in events, remote desktop sessions, and other relevant data to detect and disrupt the attack.
30
30
31
31
## Create effective hunting queries
32
32
@@ -54,7 +54,7 @@ This field is mandatory.
54
54
55
55
### Name
56
56
57
-
The `name` attribute provides a brief label that summarizes the detection. Make sure the label is clear and concise to help users understand the purpose of the hunting query. Use `alertDetailsOverride` to generate dynamic names to aid analysts in understanding the alert. See the following requirements:
57
+
The `name` attribute provides a brief label that summarizes the detection. Make sure the label is clear and concise to help users understand the purpose of the hunting query. Use `alertDetailsOverride` to generate dynamic names to help analysts understand the alert. See the following requirements:
58
58
59
59
* Uses sentence-case capitalization
60
60
* Doesn't end in a period
@@ -115,7 +115,7 @@ Limit the query to 10,000 characters. If the query section exceeds this limit, c
115
115
116
116
Each line in the query body must have at least one space at the beginning, but two spaces are standard to support readability.
117
117
118
-
If you're submitting a query for a datatype that isn't present in the Detections or Hunting Queries folder, name the subfolder that contains the YAML files after the table being queried. For instance, if your query pertains to the `AzureDevOpsAuditing` table, create a folder named `AzureDevOpsAuditing`.
118
+
When you submit a query for a datatype that isn't present in the Detections or Hunting Queries folder, name the subfolder that contains the YAML files after the table being queried. For instance, if your query pertains to the `AzureDevOpsAuditing` table, create a folder named `AzureDevOpsAuditing`.
119
119
120
120
Define human-readable names for explicit constants:
0 commit comments