Learn how to create saved queries in Azure Sentinel to effectively find and manage events reported by Advanced Threat Protection for Azure SQL Databases. Enhance your security operations with our step-by-step guide.
Table of Contents
Question
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database.
What should you do?
A. From Azure CLI run the Get-AzOperationalInsightsworkspace cmdlet.
B. From the Azure SQL Database query editor, create a Transact-SQL query.
C. From the Azure Sentinel workspace, create a Kusto Query Language query.
D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
Answer
C. From the Azure Sentinel workspace, create a Kusto Query Language query.
Explanation
The correct answer is C. From the Azure Sentinel workspace, create a Kusto Query Language query.
Azure Sentinel is a cloud-native security information and event management (SIEM) service that provides intelligent security analytics and threat detection for your cloud and hybrid resources. Azure Sentinel collects data from various sources, such as Azure resources, Microsoft 365 services, and third-party solutions, and stores it in a Log Analytics workspace. A Log Analytics workspace is a container that holds the data collected by Azure Monitor, such as logs and metrics from your Azure resources.
To create a saved query in Azure Sentinel, you need to use the Kusto Query Language (KQL), which is the language used to query data in Azure Data Explorer, Log Analytics, and Azure Sentinel. KQL is a powerful and expressive language that allows you to perform complex analysis and manipulation of data. You can use KQL to filter, sort, group, join, project, and aggregate data, as well as to create charts, tables, and other visualizations.
Advanced Threat Protection for Azure SQL Database is a feature that detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection for Azure SQL Database can identify potential threats such as SQL injection attacks, brute force attacks, credential access attempts, data exfiltration activities, and more. Advanced Threat Protection for Azure SQL Database sends alerts to the Azure portal and optionally to Azure Security Center or email.
To find events reported by Advanced Threat Protection for Azure SQL Database in Azure Sentinel, you need to connect your Azure SQL Database servers to Azure Sentinel as data sources. This will enable Azure Sentinel to ingest the security alerts generated by Advanced Threat Protection for Azure SQL Database into the Log Analytics workspace. The security alerts are stored in a table named SecurityAlert in the workspace.
To create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database, you can follow these steps:
- In the Azure portal, go to Microsoft Sentinel and select the appropriate workspace.
- Under General, select Logs.
- In the Logs page, enter the following KQL query in the query editor:
SecurityAlert | where ProductName == “SQL Advanced Threat Protection” | project TimeGenerated, AlertName, Description
This query filters the SecurityAlert table by the ProductName column, which indicates the source of the alert. It selects only the alerts that have “SQL Advanced Threat Protection” as the source. It then projects the TimeGenerated, AlertName, and Description columns, which show the time of the alert, the name of the alert, and the description of the alert respectively.
- Select Run to execute the query and view the results.
- To save the query for future use, select Save – Save as Log Analytics Query.
- In the Save Query page, enter a name and description for your query.
- Select Save.
The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
