Lab 1 - Azure Ad hoc investigation using Live Tail

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

This lab give you practical experience to use metadata and keywords to narrow your search scope and improve performance for a security context.

In this lab, you will learn the use of metadata and keywords to narrow your search scope and improve performance. You will also do an ad hoc investigation using real time log data with Live Tail.

When you narrow your search as a best practice, your monthly data ingested could be reduced. reduced. Also, a query using keywords will run faster as it may have less data to examine.

Using Live Tail

First let's just get familiar with our incoming Active Directory data using a simple scoping line that isolates specifically Active Directory incoming data. Search for all messages for the last 15 min with _sourceCategory=Labs/Azure/AD.

_sourceCategory=Labs/Azure/AD
Now, to further improve the query performance and keep your ingesting data optimal, let's narrow your search down. Let's search for only incoming messages that contain the keyword administrator by adding the keyword administrator at the end.
_sourceCategory=Labs/Azure/AD and administrator
To locate the keyword administrator in the log message results, you will need to expand properties by clicking on the arrow expander to the right of properties, . You will now see administrator highlighted at this nested level.
Keywords are case insensitive. To show this replace administrator with Administrator, or ADMINISTRATOR, and re-running the query.
_sourceCategory=Labs/Azure/AD and ADMINISTRATOR
Using wildcards can be helpful. Let's search for messages across all your Azure data that contain the word "administrator". To locate the keyword administrator in the log message results, you will need to expand properties by clicking on the drop down. You will see administrator highlighted at this nested level.
sourceCategory=Labs/Azure/* and administrator
There is another way to look at the nested JSON hierarchy in the log messages. In the middle right, click Expand JSON. You will see your nested levels all expanded for JSON display. You can toggle back using click Collapse JSON. Also try clicking View as Raw, if you don't care to see it displayed in JSON format.
For security reasons you may want to quickly monitor incoming data as it is being ingested. Using the last query, run a Live Tail session. Click Live Tail. There currently is a limit of 10 concurrent Live Tail sessions per organization. For more help on troubleshooting Live Tail look here.
Just as we expanded in the messages to look at administrator, perhaps you want to see all administrator coming in with their associated userName's. We offer highlighting in Live Tail. Click on the A button in the upper right and type administrator and press Enter, then type username and press Enter. Just like Keywords, metadata has no case sensitivity.
Click any where in the Live Tail window to observe the highlights clearly and the entry box will close. Maybe you want to pause the tail before the administrator disappears off the screen? To do this, at the upper right, click Pause and then to resume click Jump to Bottom or .
To disable the highlighted text, click the A button and click on the x.
Often we may want to see a specific user's activity. You can track a administrator found in this query's data source to another incoming data source. You can run up to 2 Live Tail session in a browser. To compare these results with another source of data using Live Tail, click on the 3 vertical dots on the upper right of the Live Tail window and select Split Screen. This allows you to run two Live Tails at the same time. Enter _sourceCategory=labs/azure/audit Split screen is helpful in general for an adhoc type of analysis.
To close the Live Tail you can either click on the 3 vertical dots and select Stop Live Tail, or just close out the browser tab by clicking on the X