Create custom hunting queries in Microsoft Sentinel

Hunt for security threats across your organization's data sources with custom hunting queries. Microsoft Sentinel provides built-in hunting queries to help you find issues in the data you have on your network. But you can create your own custom queries. For more information about hunting queries, see Threat hunting in Microsoft Sentinel.

Create a new query

In Microsoft Sentinel, create a custom hunting query from the Hunting > Queries tab.

  1. Go to the Azure portal, under Threat management select Hunting.

  2. Select the Queries tab.

  3. From the command bar, select New query.

    Save query

  4. Fill in all the blank fields.

    1. Create entity mappings by selecting entity types, identifiers, and columns.

      Screenshot for mapping entity types in hunting queries.

    2. Map MITRE ATT&CK techniques to your hunting queries by selecting the tactic, technique, and sub-technique (if applicable).

      New query

  5. When your finished defining your query, select Create.

Clone an existing query

Clone a custom or built-in query and edit it as needed.

  1. From the Hunting > Queries tab, select the hunting query you want to clone.

  2. Select the ellipsis (...) in the line of the query you want to modify, and select Clone.

    Clone query

  3. Edit the query and other fields as appropriate.

  4. Select Create.

Edit an existing custom query

Only queries that from a custom content source can be edited. Other content sources have to be edited at that source.

  1. From the Hunting > Queries tab, select the hunting query you want to change.

  2. Select the ellipsis (...) in the line of the query you want to change, and select Edit.

  3. Update the Query field with the updated query. You can also change the entity mapping and techniques.

  4. When finished select Save.