Log Analytics Query Packs allow for commonly used queries to be saved and made accessible within Sentinel.
When a staff member with contributor permissions saves their first query from within Log Analytics to the default query pack, the default resource group and default query pack name are created for the subscription.
Multiple query packs can be used with any names of relevance to a SOC team but the GUI interface for Sentinel / Log Analytics will always default to a pack titled DefaultQueryPack in a Resource Group titled LogAnalyticsDefaultResources. For a SOC team regularly updating queries, using the default query pack naming saves a lot of ongoing frustration of repetition.
The Query Pack is important for me due to the amount of data I have being directed into Azure Data Explorer rather than Sentinel, I need to amend my queries to be ADX aware.
I wont go through creating functions for querying ADX in this exercise but wanted to highlight what Query Packs are and how they are edited.
Saving the first hunting query
Reprise99 is an extensive collection of kql queries grouped by resource.
GitHub - reprise99/Sentinel-Queries: Collection of KQL queries
Instead of bulk importing multiple queries for products we are not actively using, we will consciously decide which queries to import (and in my case, I may be amending queries to run against my ADX database). As an example, we will randomly select one hunting query as an example.
First, I copy the query into the log query pane for Sentinel and with all text highlighted, I select Save from the overhead menu.
For consistency, I’m using the same naming standard used in the Reprise99 repository. The query name uses the table being queried followed by a query description of what the query does.
I am saving to the default query pack. If I decided to maintain different query packs, I would have to drill down through the menu each time I wished to create a new query.
The Category will always be Security.
Following the Reprise99 repository structure, I will create a label for “Office 365”.
Set Defaults for Query Use
From the Logs blade of Microsoft Sentinel, select Queries from the top menu (right hand side)
I will toggle on “Always Show Queries” when the Log blade is invoked.
Under the left-hand menu for queries, I will change to display queries by label.
My first saved query for Office 365 becomes available for everyone with permissions to that query pack
With time, dozens or hundreds of queries can be saved by the SOC team for a range of monitored products.
- Log in to post comments