Azure monitor

Harness the Power of Custom Queries to Uncover Hidden Insights and Strengthen Your Security Posture#

In today's complex cybersecurity landscape, having access to comprehensive, detailed, and actionable data is critical for maintaining a robust security posture. Microsoft Azure Sentinel provides a powerful platform to collect, analyse, and respond to security events, and the integration with Peakhour's log analytics data allows organizations to gain valuable insights into their security environment.

In this guide, we will explore how to effectively query the PeakhourEvent_CL table in Azure Sentinel to unlock the full potential of the data it contains. We will cover various techniques for using additional fields present in the table, such as geoip information, ip threat lists, and block types, to enhance your security analysis, create insightful reports, and fine-tune your incident response strategies. By harnessing the power of custom queries, you can uncover hidden patterns and trends in your security landscape, helping you stay ahead of potential threats and fortify your organization's defenses.

Using the additional fields present in the PeakhourEvent_CL table can help enhance your security analysis and incident response. These fields can be used to create more detailed alerts, generate insightful reports, and identify trends or patterns in your security landscape.

Here are some suggestions on how to utilise these additional fields:

GeoIP Information#

Use the geographical information to detect and analyse location-based threats, identify trends in attacks from specific regions, or create location-based security policies. You can also use this information to visualize the source of attacks on a map.

Example KQL query to find top attacking countries:

| summarize count() by Country = geoip_country_code_s
| top 10 by count_ desc

IP Threat Lists#

Use the threat list information to track known malicious IP addresses and identify potential threats to your environment. You can create alerts based on the presence of these IPs in your logs and take appropriate action.

Example KQL query to find events involving IPs from threat lists:

| where block_blocklist_name_s != ""

Type of Block#

Analyze the different types of blocks that occurred (WAF, IP threat list, custom rule, rate limit, bot) to understand the nature of the threats your environment is facing. This can help you fine-tune your security policies and prioritise your incident response efforts.

Example KQL query to find the distribution of block types:

| summarize count() by BlockType = block_by_s

Generate Reports#

Use the additional fields to create detailed reports on attack trends, incident response performance, and security posture improvements. These reports can help stakeholders and management make informed decisions and allocate resources effectively.

Example KQL query to generate a daily summary report of events:

| extend EventDate = todatetime(time_d)
| summarize count() by EventDate, BlockType = block_by_s, Country = geoip_country_code_s
| order by EventDate desc

Create Custom Alerts#

Utilize these additional fields to create custom alerts that can help you prioritize and respond to incidents more effectively. For example, you can create alerts based on a combination of factors, such as block type and geographical location.

Example KQL query to create an alert for custom rule blocks from a specific country:

| where block_by_s == "blocklist" and geoip_country_code_s == "RU"

By incorporating these additional fields in your analysis, you can gain a deeper understanding of your security landscape and enhance your organization's overall security posture.