Skip to content

Commit

Permalink
Modified Sentinel lab
Browse files Browse the repository at this point in the history
  • Loading branch information
R-C-Stewart committed May 8, 2024
1 parent 6757b45 commit 9827954
Showing 1 changed file with 0 additions and 8 deletions.
8 changes: 0 additions & 8 deletions Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,3 @@ Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR solution. Through
1. Select **Run**.

1. This will provide a list of User IDs on Microsoft Entra ID. Since we have just created the workspace, you may not see results. Note the format of the query.

1. Under **Threat management** in the menu, select **Hunting**.

1. Scroll down to find the query **Anomalous sign-in location by user account and authenticating application**. This query over Microsoft Entra sign-in considers all user sign-ins for each Microsoft Entra application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application vector.

1. Select **View query results** to run the query.

1. This may not provide results with the new workspace, but you now have seen how queries can be run to gather information or for hunting potential threats.

0 comments on commit 9827954

Please sign in to comment.