Table of Contents
Configuring custom scheduled queries allows security analysts to automate threat detection and improve their security posture by creating timely alerts based on specific criteria.
Custom scheduled queries are created using KQL (Kusto Query Language), the powerful query language used by Azure Monitor Logs and Microsoft 365 Defender. These queries can be scheduled to run at regular intervals, ensuring that the latest data is analyzed and any potential threats are identified promptly.
Create your KQL query based on the log data you wish to analyze. The query should be tailored to the specific patterns or behaviors indicative of a security threat or issue you are monitoring.
SigninLogs
| where ResultType == “50126” // Indicates a failed sign-in attempt due to invalid username or password
| summarize Count = count() by UserPrincipalName, bin(TimeGenerated, 5m)
| where Count > 5
After crafting your KQL query, you must decide the frequency at which it should run. Common intervals include every 5 minutes, hourly, or daily, depending on the nature of the data and the threat you’re watching.
Decide on the alert details:
Before finalizing your schedule, test the query to ensure it returns the expected results and does not produce excessive false positives.
Save and enable the custom scheduled query to start monitoring your environment. The system will alert you when the conditions of the query are met.
Scenario | Query Example | Frequency | Severity |
---|---|---|---|
Detecting unusual login locations | SigninLogs | where CountryOrRegion !in (‘US’, ‘CA’) | Hourly | Medium |
Identifying potential data exfil | NetworkCommunicationEvents | where ActionType == ‘FileDownloaded’ | Daily | High |
Monitoring for privilege escalation | AuditLogs | where OperationName == ‘Add member to role’ | Every 5 minutes | High |
By configuring custom scheduled queries, security analysts can tailor their monitoring to the unique requirements of their environment, ensuring they are alerted to threats in a proactive and efficient manner. This bespoke approach to threat detection is crucial for maintaining a strong security posture and is a significant component of the knowledge base for anyone pursuing certification as a Microsoft Security Operations Analyst.
Answer: A) True
Explanation: Custom scheduled queries in Microsoft Sentinel are written using Kusto Query Language (KQL).
Answer: A) A Log Analytics workspace
Explanation: A Log Analytics workspace is required to store the data that custom scheduled queries will analyze in Microsoft Sentinel.
Answer: B) False
Explanation: Custom scheduled queries can be configured to run at various intervals, not just daily.
Answer: D) Sentinel Contributor
Explanation: The Sentinel Contributor role has the necessary permissions to create and manage custom scheduled queries in Microsoft Sentinel.
Answer: A) True
Explanation: Alerts can be generated based on the results of custom scheduled queries through analytics rule configurations in Microsoft Sentinel.
Answer: C) 15 minutes
Explanation: The maximum execution time for a custom scheduled query in Microsoft Sentinel is 15 minutes.
Answer: A) True
Explanation: Custom functions can be created and used within KQL to provide reusable query logic in Microsoft Sentinel.
Answer: B) To specify the frequency at which the query should run
Explanation: The “Query scheduling” option allows you to specify how often the custom scheduled query should execute.
Answer: D) All of the above
Explanation: Microsoft Sentinel can log the incident, trigger automated responses, and send an email notification as actions in response to an alert from a custom scheduled query.
Answer: B) False
Explanation: After saving a custom scheduled query, you must enable it to start running according to its defined schedule.
Answer: B) The query result contains data that meets the alert criteria
Explanation: An alert would be triggered if the results of the custom scheduled query contain data that meet the defined criteria indicating a potential security issue.
Answer: D) All of the above
Explanation: You can validate the syntax of KQL by running it in the Log Analytics workspace, using a syntax checker tool, or having it reviewed by a knowledgeable colleague.
Kusto Query Language (KQL) is a query language used for querying Azure data services, such as Azure Log Analytics, Azure Security Center, and Azure Sentinel.
KQL is a simple, intuitive, and easy-to-learn language that allows users to query, analyze, and visualize data in a flexible and efficient manner. It can be used to perform various operations, such as searching, filtering, aggregating, and joining data from multiple sources.
KQL is based on a set of key concepts, such as tables, columns, functions, operators, expressions, and commands. These concepts are used to construct queries that perform specific actions on the data.
Some basic query operations in KQL include selecting data from tables, filtering data based on criteria, sorting and grouping data, and joining data from multiple tables.
KQL queries can be used to analyze data from a wide range of sources, such as logs, metrics, events, and traces. Some common data sources include Azure Log Analytics, Azure Security Center, Azure Sentinel, and Azure Application Insights.
A KQL query is composed of various elements, such as keywords, operators, functions, and literals. The syntax of a KQL query is similar to that of SQL, with some differences.
In KQL, a table is a collection of data that is stored in a tabular format, while a view is a virtual table that is created by querying one or more tables. Views can be used to simplify complex queries and to improve query performance.
KQL provides a wide range of built-in functions that can be used to manipulate and analyze data, such as aggregation functions, string functions, date and time functions, and mathematical functions.
KQL can be used to generate charts, tables, and other visualizations that can help users to better understand and analyze their data. Visualizations can be created using tools such as Azure Log Analytics, Power BI, and Excel.
There are various resources available to help you learn more about KQL, including online tutorials, documentation, and training courses. Microsoft also provides a community forum where users can ask questions, share best practices, and collaborate with others.
If this material is helpful, please leave a comment and support us to continue.