Azure Defender Alerts

Identifying Azure Defender alerts

Question

You are using Azure Defender and Azure Sentinel to protect your cloud workloads and monitor your environment.

You need to use the Kusto Query Language (KQL) to construct a query that identifies Azure Defender alerts.

What query should you write to meet this requirements? To answer, complete the query by selecting the correct options from the drop down menus.

| where ProductName == “________________________”

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A

You should complete the query as follows:

| where ProductName == "Azure Security Center"

This completes a basic query to identify all security alerts in Azure Security Center.

Placing SecurityAlert first queries the SecurityAlert table, and then using | where ProductName =="Azure Security Center" afterwards ensures that in that SecurityAlert table you are only looking for entries where the ProductName column has a value of Azure Security Center.From here, you can expand.

For example, you could use KQL to specify time frames or specific devices to query.

Kusto Query Language (KQL) is the language you will use when building queries in Azure Sentinel.

Queries serve as a way to search through the massive amount of data Azure Sentinel has access to.

You should not begin the query with Azure Security Center.

The structure of a query requires that you first identify the key table you will be querying.

The SecurityAlert table includes the security alerts that are being digested by Azure Sentinel.

You should first query this table, then narrow the search to the alerts coming from the Azure Security Center product.

You should not begin the query with Azure Sentinel.

Again, the structure of a query requires that you first identify the key table you will be querying.

In this case, that would be the SecurityAlert table.

More importantly, while Azure Sentinel is the solution aggregating this data and performing the query, it should not be used as the ProductName.

This should be specified as the Azure Security Center.

You should not end the query with Azure Sentinel.

As mentioned in the paragraph above, the ProductName (solution source) for the SecurityAlert (alerts) table you should query is Azure Security Center.

The query would be run in Azure Sentinel, but do not confuse the solution being queried with the one running the query.

You should not end the query with SecurityAlert.

Here you need to name the solution you want to query.

In this case, that is Azure Security Center.

SecurityAlert would not be a valid ProductName.

Reference:

To construct a query that identifies Azure Defender alerts using Kusto Query Language (KQL), you need to select the correct option from the drop-down menu to complete the query.

Azure Defender is a cloud workload protection service that integrates with Azure Security Center. Therefore, the correct option to select is "Azure Security Center" from the drop-down menu.

The completed query should look like this:

bash
SecurityAlert | where ProductName == "Azure Security Center"

This query selects the SecurityAlert table, which contains information about security alerts generated by Azure Defender, and filters the results to only show alerts where the ProductName field is equal to "Azure Security Center".

Note that Azure Sentinel is a cloud-native security information and event management (SIEM) service that can ingest security data from various sources, including Azure Defender alerts. However, in this question, we are specifically asked to identify Azure Defender alerts using KQL, so the correct option is "Azure Security Center".