How to run and view SonicWall's hunting queries in your Sentinel workspace?

NOTE: The instructions below apply to any hunting query and are not SonicWall-specific.SonicWall’s hunting queries, analytic rule templates, workbooks, and other content may require deploying SonicWall’s ASIM parsers into your Microsoft Sentinel workspace. 

This article covers how to run SonicWall’s hunting queries and view results in your Microsoft Sentinel workspace. To follow this article, you need to have installed the SonicWall Network Security Solution using the Content Hub in Microsoft Sentinel and deployed the SonicWall ASIM parsers into your Microsoft Sentinel workspace.

Prerequisites

How to install the SonicWall Network Security Solution into your Sentinel workspace using the Content Hub

How to Deploy the SonicWall ASIM Parsers into your Sentinel workspace

Instructions

To run a hunting query and view the results:

1. Within your Microsoft Sentinel workspace, navigate to the “Threat management” > “Hunting” page.
2. Click on the “Queries” tab.
3. Select a time frame from the menu near the top of the page to limit the query or select a custom range to query.
4. Select a hunting query from the list.
5. Click the “Run” button near the bottom of the page in the right pane to execute the query.
   
   
6. The result count is displayed, but query results can be viewed directly by clicking the “View results” button near the bottom of the page in the right pane. The full query and results are displayed. You can adjust the query, time range, and/or browse the returned events for further analysis. Clicking the X near the top right of the page will close the query/results (the Logs page) and return to the Hunting page.