Domain 4 of 4 · Chapter 2 of 3

Hunt for Threats by Using Microsoft Sentinel

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • Hunting vs detection: two paths over one set of logs
  • MITRE ATT&CK coverage analysis
  • Threat indicators: manage and pivot on IOCs
  • Hunts, hunting queries, and bookmarks
  • Reach old or cheap data: search jobs and archive restore
  • Exam-pattern recognition

Which Microsoft Sentinel hunting tool to reach for

ToolWhat it isWhen to use itKey constraint
Hunting queryA saved KQL query you run on demand against workspace tablesTest a technique hypothesis proactively, with no incident requiredRuns over live, interactive-retention data only
HuntA workspace grouping queries, findings, and collaborators around one hypothesisOrganize a multi-query investigation and track it to a conclusionOrganizational container; it does not itself query data
BookmarkA preserved query row with notes and mapped entitiesCapture and keep a single interesting finding mid-huntStored in HuntingBookmark; promote to an incident to action it
Threat indicatorAn IOC (IP, domain, URL, hash) in ThreatIntelligenceIndicatorPivot logs against known-bad observables, or drive a matching ruleHas confidence and expiration; stale IOCs age out
Search jobAn async KQL search over Basic/Auxiliary or long-term-retention dataQuery high-volume or aged data the live engine will not scanAsynchronous; writes results to a new _SRCH table

Decision tree

Data outside interactive tier?archived, or Basic/AuxiliaryNeed joins / full KQL?over the aged dataYesWhat is the goal?on live, interactive dataNoRestore (_RST)full interactive KQLYesSearch job (_SRCH)async, single tableNoThreat indicatormatch known IOCMatch IOCMITRE matrixsee coverage gapsSee gapsBookmarkpreserve a found rowKeep a rowHunting queryproactive, inside a huntSearch proactively

Cheat sheet

  • Hunting is proactive search; it does not create incidents by itself
  • Promote a proven hunting query into an analytics rule to automate it
  • Use the MITRE ATT&CK page to find techniques you have no coverage for
  • Only tagged rules and queries paint the MITRE coverage matrix
  • Threat indicators are IOCs stored in ThreatIntelligenceIndicator
  • Bring indicators in via TAXII, the upload connector/API, or manual entry
  • Let the Microsoft Defender Threat Intelligence Analytics rule match IOCs automatically
  • A hunt is the investigation; a hunting query is the tool inside it
  • Bookmarks preserve a single query row so a finding survives
  • Add a bookmark to an incident to move from hunting into response
  • Favorite a hunting query to run it automatically on the Hunting page
  • Normal hunting queries see only interactive-tier data in its retention window
  • Run a search job to scan archived or low-cost-tier data asynchronously
  • Restore an archived table when you need full interactive KQL over aged data
  • Interactive retention can run up to two years, archive up to twelve
  • Match the question's intent to the right hunting tool
  • A bookmark needs at least one mapped entity to appear in the investigation graph
  • A hunt's Entities tab is populated only from the bookmarks' entity mappings
  • Tag bookmarks to classify them so a campaign's findings can be filtered together
  • The MITRE ATT&CK matrix shows active scheduled and NRT rules by default, never disabled rules
  • Simulated coverage = detections that are available but not yet configured, not hunting queries you ran
  • A log-data restore must span a time range of at least two days
  • Editing a data-lake KQL job is allowed only if the query keeps the same output schema

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/azure/sentinel/hunting
  2. https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview
  3. https://learn.microsoft.com/en-us/azure/sentinel/mitre-coverage
  4. https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
  5. https://learn.microsoft.com/en-us/azure/sentinel/hunts
  6. https://learn.microsoft.com/en-us/azure/sentinel/bookmarks
  7. https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive
  8. https://learn.microsoft.com/en-us/azure/sentinel/search-jobs
  9. https://learn.microsoft.com/en-us/azure/sentinel/restore