You are threat hunting using Azure Sentinel.
You have created a query designed to identify a specific event on your domain controller.
You need to create several similar queries because you have multiple domain controllers and want to keep each query separate.
The solution should minimize administrative effort.
Which three actions should you perform in sequence to clone a query? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.
Create a list in the correct order A.Choose Clone query by clicking the ellipsis icon at the end of the row.
B.On the Hunting page of Azure Sentinel.
Select New query.
C.On the Create Custom query, make your edits then click the Create button.
D.Select the ellipsis in the line of the query you want to modify, and select Edit query.
E.On the Hunting page of the Azure Sentinel, find the query you wish to clone.
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D
You should perform the following tasks in order:
1
On the Hunting page of Azure Sentinel, find the query you wish to clone.
2
Choose Clone query by clicking the ellipsis icon at the end of the row.
3
On the Create custom query page, make your edits then click the Create button.
First, you should find the query you wish to clone.
You will do this by navigating to the Hunting page within Azure Sentinel and then looking through the list of queries.
This will allow you to ensure the right initial query is cloned in the next step.
Next, you should choose the Clone query option.
This is accessible via the ellipsis at the end of the row for the query you found in step one.
This will make a copy of the query you identified in the first step and will take you to the page where you can make changes to that copy.
Finally, you should make your edits then click the Create button.
These edits will be made on the Create custom query page, which is the page you are taken to after selecting Clone query in step two.
This will allow you to tweak the copy to your needs.
When you click Create, the initial query you copied will still exist in its original state, and a new query with the changes you make in this step will be generated/saved.
This process would allow you, for example, to alter the IP or hostname in the query to match your other domain controllers (DCs) but keep the rest of the query the same.
As mentioned above, it also leaves the original query untouched/as-is.
This is a fast, efficient way to make several queries that are related but require minor tweaks to meet the desired outcome.
Starting each query from scratch would take much longer and would be more likely to result in human error in the query syntax.
You should not select New query on the Hunting page of Azure Sentinel.
While this option could ultimately be chosen to generate the queries for your other DCs, as mentioned above, you would be starting from scratch.
If you only need to change a few minor things in your query, going to New query is a waste of time as the clone option gives you a better starting point.
You should not select the ellipsis in the line of the query you want to modify, and select Edit query.
This would allow you to edit an existing query, but it would not create a copy of it.
Any edits made here would alter the original query.
With the Clone query option, you leave the original unaltered, while efficiently creating new queries based on it.
Reference:
To clone a query in Azure Sentinel, follow the below steps:
On the Hunting page of Azure Sentinel, find the query you want to clone. This step involves locating the existing query you want to clone, and you can do this by navigating to the Hunting page of Azure Sentinel.
Choose Clone query by clicking the ellipsis icon at the end of the row. This action involves clicking on the ellipsis icon at the end of the row that corresponds to the query you want to clone. From the options that appear, select "Clone query."
On the Create Custom query, make your edits, and then click the Create button. This step involves editing the cloned query to suit your needs. After selecting the "Clone query" option, you'll be taken to the "Create Custom query" page, where you can make any necessary changes to the query. Once you've made the required edits, click the "Create" button to save the cloned query.
In summary, the correct sequence of actions to clone a query in Azure Sentinel is:
E. On the Hunting page of the Azure Sentinel, find the query you wish to clone.
A. Choose Clone query by clicking the ellipsis icon at the end of the row.
C. On the Create Custom query, make your edits, and then click the Create button.
This sequence of actions ensures that you locate the query you want to clone, clone it, and then make any necessary modifications to the cloned query before saving it. Cloning a query can save you administrative effort as you can create similar queries for multiple domain controllers while keeping each query separate.