A personal tutor for cybersecurity beginners and pros
Do you feel stuck trying to learn new cybersecurity concepts on your own? Have you been searching for resources online, but have not found what you need to meet your learning goals? Let's discuss how ChatGPT can be your cybersecurity tutor.
Let's consider a scenario: you are a new Microsoft 365 security administrator who wants to improve your threat detection skills. Your company uses Microsoft 365 and has access to the advanced hunting tools built into Microsoft 365 Defender, but your organization isn't currently using it or maybe they aren't using it to its full potential. You want to develop your skills and make an impact on the organization within one month. Specifically, you want to learn how to create advanced queries.
To help you achieve your goal, we will turn to ChatGPT. By using specific prompts, we can guide ChatGPT to provide us with a step-by-step roadmap for learning how to create detection queries in Splunk. The prompts we use will be key to getting the best results.
For instance, we can ask ChatGPT to create a rough guide for us to follow. However, we may also want to provide more specific details, such as how to break the concepts down into weekly learning goals. By doing this, we can get a detailed plan for each day of the week, which includes links to helpful resources for our learning journey.
Overall, ChatGPT can be an excellent resource to help you learn new cybersecurity concepts. By asking specific questions, you can guide ChatGPT to provide you with the information you need to achieve your goals.
First, let's ask ChatGPT to create a roadmap. "Create a roadmap for learning how to use advanced hunting in Microsoft 365 Defender" It will return something like this:
Learning how to use advanced hunting in Microsoft 365 Defender can be a valuable skill for security analysts who want to proactively detect and investigate threats in their organization's environment. Here's a roadmap for learning how to use advanced hunting in Microsoft 365 Defender:
Familiarize yourself with the Microsoft 365 Defender portal: Before diving into advanced hunting, it's important to understand the Microsoft 365 Defender portal and its various components. Spend some time exploring the portal and learning how to navigate through it.
Learn the basics of Microsoft 365 Defender: Next, you should learn the basics of Microsoft 365 Defender, including what it is, how it works, and what its key features are. This will give you a foundation to build upon as you learn about advanced hunting.
Get familiar with the Kusto Query Language (KQL): KQL is the language used to write advanced hunting queries in Microsoft 365 Defender. You should spend time learning the syntax and structure of KQL, as well as how to use it to query data in Microsoft 365 Defender.
Review the Microsoft 365 Defender query library: Microsoft provides a library of pre-built queries that you can use as a starting point for your own queries. Spend time reviewing this library to get an idea of the types of queries you can run in Microsoft 365 Defender.
Create your own queries: Once you have a good understanding of KQL and the query library, it's time to start creating your own queries. Start with simple queries and gradually increase their complexity as you gain more experience.
Refine your queries: As you run queries, you may find that they return too much data or not enough data. Refining your queries is an important part of advanced hunting. Learn how to add filters to your queries to reduce the amount of data returned, or add more fields to get more context.
Learn how to visualize query results: Once you have data from your queries, you'll want to visualize it to make it easier to understand. Microsoft 365 Defender provides several built-in visualization tools, so spend time learning how to use them.
Stay up to date: Microsoft 365 Defender is constantly evolving, so it's important to stay up to date with the latest features and updates. Join the Microsoft Defender ATP community, attend webinars, and read the latest documentation to keep your skills sharp.
By following this roadmap, you can develop a strong foundation for advanced hunting in Microsoft 365 Defender and become proficient in detecting and investigating threats in your organization's environment.
That's a great outline but there's a problem. There's no detail. There isn't any information on how to use KQL or advanced hunting. So let's get a little more granular. Let's ask ChatGPT to break down our learning for each day. I asked: "I'm looking to learn advanced hunting over 1 month. Please give me an outline of what I will need to learn every day" ChatGPT came back with:
Learning advanced hunting in Microsoft 365 Defender over a month will require a consistent effort and focus. Here's an outline of what you could learn every day:
Week 1:
Day 1: Introduction to Microsoft 365 Defender Portal and its components
Day 2: Overview of Microsoft 365 Defender and its features
Day 3: Introduction to Kusto Query Language (KQL)
Day 4: Learning KQL syntax and structure
Day 5: Introduction to Microsoft 365 Defender query library
Week 2:
Day 6: Reviewing and testing the pre-built queries from Microsoft
Day 7: Building your own simple queries
Day 8: Refining your queries to reduce unnecessary data
Day 9: Adding more context to your queries
Day 10: Understanding query results
Week 3:
Day 11: Introduction to data visualization tools in Microsoft 365 Defender
Day 12: Using charts, tables, and graphs to visualize query results
Day 13: Advanced visualization techniques and customization options
Day 14: Introduction to threat intelligence and detection rules
Day 15: Reviewing and using pre-built detection rules from Microsoft
Week 4:
Day 16: Building custom detection rules for your organization
Day 17: Combining detection rules with advanced hunting queries
Day 18: Troubleshooting issues with queries and detection rules
Day 19: Understanding the anatomy of a threat and incident response
Day 20: Best practices for proactive threat hunting and incident response
As you progress through the weeks, you can continue to practice and refine your skills in advanced hunting in Microsoft 365 Defender. It's important to remember that this is just a suggested outline, and you may need to adjust it based on your own learning pace and preferences. Additionally, you can supplement your learning with online resources such as Microsoft documentation, tutorials, and community forums.
20-day guide! Now we are getting somewhere. But there's still a problem. We don't have any information on how to learn this information. We need information. We need meat and potatoes. So let's ask for more information. I originally asked for links and resources but the links it provided were all broken :(
So then I asked for guides on each topic. For example, I skipped Days 1 and 2 because I already know the Defender admin center. I asked "Please provide me with an introduction to Kusto Query Language (KQL)" Here's what I got back:
Kusto Query Language (KQL) is a powerful query language used in Microsoft Azure Data Explorer and other Microsoft services, including Microsoft 365 Defender, for searching and analyzing large datasets. It was developed by Microsoft for querying and analyzing data stored in different data sources, including structured, semi-structured, and unstructured data.
KQL is similar to SQL in terms of syntax and structure, but with some key differences. KQL uses a series of operators, keywords, and functions to query data. For example, you can use the "where" operator to filter data, the "project" operator to select specific columns, and the "summarize" operator to aggregate data.
KQL also includes a number of powerful functions for processing and manipulating data. For example, you can use the "parse" function to extract data from a string, the "datetime" function to work with dates and times, and the "bin" function to group data into intervals.
One of the most powerful features of KQL is its ability to handle large amounts of data quickly and efficiently. It does this through a combination of query optimization techniques, caching, and distributed computing.
Overall, KQL is a versatile and flexible language that can be used to analyze and extract insights from a wide range of data sources. It is well-suited for working with large datasets and can be used by data analysts, security professionals, and others who need to extract insights from complex data sources.
Here's another search: "How do I use KQL in the Microsoft 365 Defender admin center?" This returned some great info too.
In the Microsoft 365 Defender admin center, you can use Kusto Query Language (KQL) to search and analyze data from your organization's devices, users, and applications. Here are the basic steps to use KQL in the Defender admin center:
Log in to the Microsoft 365 Defender admin center with your credentials.
Navigate to the "Advanced hunting" section by clicking on "Advanced hunting" in the left-hand navigation menu.
On the Advanced hunting page, you will see a search box where you can enter your KQL query. You can also select a pre-defined query from the "Query library" on the right-hand side of the page, or you can create a new query by clicking on the "New query" button.
Once you have entered your query, click on the "Run" button to execute the query.
The results of your query will be displayed in a table on the right-hand side of the page. You can filter and sort the results by clicking on the column headers or by using the filter and sort controls at the top of the table.
You can also export the results of your query by clicking on the "Export" button and selecting the format (CSV or JSON) and columns you want to export.
It's important to note that KQL syntax can be complex, so it's helpful to refer to documentation and tutorials to learn more about the language and how to use it effectively. Microsoft provides extensive documentation and training resources for KQL, including video tutorials, documentation, and sample queries.
Lastly, ChatGPT won't be replacing many jobs any time soon. ChatGPT isn't perfect. For example, I tried to get the syntax to get the sign-in log failures from Advanced Query. It should look like this: "AADSpnSignInEventsBeta | where ErrorCode > 0" but ChatGPT kept returning "SigninLogs | where ResultType == "0" and TimeGenerated > ago(24h)" which is the syntax for Microsoft Sentinel.