Conduct end-to-end proactive threat hunting in Microsoft Sentinel

Proactive threat hunting is a process where security analysts seek out undetected threats and malicious behaviors. By creating a hypothesis, searching through data, and validating that hypothesis, they determine what to act on. Actions can include creating new detections, new threat intelligence, or spinning up a new incident.

Use the end to end hunting experience within Microsoft Sentinel to:

  • Proactively hunt based on specific MITRE techniques, potentially malicious activity, recent threats, or your own custom hypothesis.
  • Use security-researcher-generated hunting queries or custom hunting queries to investigate malicious behavior.
  • Conduct your hunts using multiple persisted-query tabs that enable you to keep context over time.
  • Collect evidence, investigate UEBA sources, and annotate your findings using hunt specific bookmarks.
  • Collaborate and document your findings with comments.
  • Act on results by creating new analytic rules, new incidents, new threat indicators, and running playbooks.
  • Keep track of your new, active, and closed hunts in one place.
  • View metrics based on validated hypotheses and tangible results.

Important

Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Prerequisites

In order to use the hunts feature, you either need to be assigned a built-in Microsoft Sentinel role, or a custom Azure RBAC role. Here are your options:

Define your hypothesis

Defining a hypothesis is an open ended, flexible process and can include any idea you want to validate. Common hypotheses include:

  • Suspicious behavior - Investigate potentially malicious activity that's visible in your environment to determine if an attack is occurring.
  • New threat campaign - Look for types of malicious activity based on newly discovered threat actors, techniques, or vulnerabilities. This might be something you heard about in a security news article.
  • Detection gaps - Increase your detection coverage using the MITRE ATT&CK map to identify gaps.

Microsoft Sentinel gives you flexibility as you zero in on the right set of hunting queries to investigate your hypothesis. When you create a hunt, initiate it with preselected hunting queries or add queries as you progress. Here are recommendations for preselected queries based on the most common hypotheses.

Hypothesis - Suspicious behavior

  1. For Microsoft Sentinel in the Azure portal, under Threat management, select Hunting.
    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Threat management > Hunting.

  2. Select the Queries tab. To identify potentially malicious behaviors, run all the queries.

  3. Select Run All queries > wait for the queries to execute. This process might take a while.

  4. Select Add filter > Results > unselect the checkboxes "!", "N/A", "-", and "0" values > Apply Screenshot shows the filter described in step 3.

  5. Sort these results by the Results Delta column to see what changed most recently. These results provide initial guidance on the hunt.

Hypothesis - New threat campaign

The content hub offers threat campaign and domain-based solutions to hunt for specific attacks. In the following steps, you install one of these types of solutions.

  1. Go to the Content Hub.

  2. Install a threat campaign or domain-based solution like the Log4J Vulnerability Detection or Apache Tomcat.

    Screenshot shows the content hub in grid view with the Log4J and Apache solutions selected.

  3. After the solution is installed, in Microsoft Sentinel, go to Hunting.

  4. Select the Queries tab.

  5. Search by solution name, or filtering by Source Name of the solution.

  6. Select the query and Run query.

Hypothesis - Detection gaps

The MITRE ATT&CK map helps you identify specific gaps in your detection coverage. Use predefined hunting queries for specific MITRE ATT&CK techniques as a starting point to develop new detection logic.

  1. Navigate to the MITRE ATT&CK (Preview) page.

  2. Unselect items in the Active drop-down menu.

  3. Select Hunting queries in the Simulated filter to see which techniques have hunting queries associated with them.

    Screenshot shows the MITRE ATT&CK page with the option for simulated Hunting queries selected.

  4. Select the card with your desired technique.

  5. Select the View link next to Hunting queries at the bottom of the details pane. This link takes you to a filtered view of the Queries tab on the Hunting page based on the technique you selected.

    Screenshot shows the MITRE ATT&CK card view with the Hunting queries view link.

  6. Select all the queries for that technique.

Create a Hunt

There are two primary ways to create a hunt.

  1. If you started with a hypothesis where you selected queries, select the Hunt actions drop down menu > Create new hunt. All the queries you selected are cloned for this new hunt.

    Screenshot shows queries selected and the create new hunt menu option selected.

  2. If you haven't decided on queries yet, select the Hunts (Preview) tab > New Hunt to create a blank hunt.

    Screenshot shows the menu to create a blank hunt with no preselected queries.

  3. Fill out the hunt name and optional fields. The description is a good place to verbalize your hypothesis. The Hypothesis pull down menu is where you set the status of your working hypothesis.

  4. Select Create to get started.

    Screenshot shows the hunt creation page with Hunt name, description, owner, status, and hypothesis state.

View hunt details

  1. Select the Hunts (Preview) tab to view your new hunt.

  2. Select the hunt link by name to view the details and take actions.

    Screenshot showing new hunt in Hunting tab.

  3. View the details pane with the Hunt name, Description, Content, Last update time, and Creation time.

  4. Note the tabs for Queries, Bookmarks, and Entities.

    Screenshot showing the hunt details.

Queries tab

The Queries tab contains hunting queries specific to this hunt. These queries are clones of the originals, independent from all others in the workspace. Update or delete them without impacting your overall set of hunting queries or queries in other hunts.

Add a query to the hunt

  1. Select Query Actions > add queries to hunt
  2. Select the queries you want to add. Screenshot shows query actions menu in the queries tab page.

Run queries

  1. Select Run all queries or choose specific queries and select Run selected queries.
  2. Select Cancel to cancel query execution at any time.

Manage queries

  1. Right-click a query and select one of the following from the context menu:

    • Run
    • Edit
    • Clone
    • Delete
    • Create analytics rule

    Screenshot shows right-click context menu options in the Queries tab of a hunt.

    These options behave just like the existing queries table in the Hunting page, except the actions only apply within this hunt. When you choose to create an analytics rule, the name, description, and KQL query is prepopulated in the new rule creation. A link is created to view the new analytics rule found under Related analytics rules.

    Screenshot showing hunt details with related analytics rule.

View results

This feature allows you to see hunting query results in the Log Analytics search experience. From here, analyze your results, refine your queries, and create bookmarks to record information and further investigate individual row results.

  1. Select the View results button.
  2. If you pivot to another part of the Microsoft Sentinel portal, then browse back to the LA log search experience from the hunt page, all your LA query tabs remain.
  3. These LA query tabs are lost if you close the browser tab. If you want to persist the queries long term, you need to save the query, create a new hunting query, or copy it into a comment for later use within the hunt.

Add a bookmark

When you find interesting results or important rows of data, add those results to the hunt by creating a bookmark. For more information, see Use hunting bookmarks for data investigations.

  1. Select the desired row or rows.

  2. Above the results table, select Add bookmark. Screenshot showing add bookmark pane with optional fields filled in.

  3. Name the bookmark.

  4. Set the event time column.

  5. Map entity identifiers.

  6. Set MITRE tactics and techniques.

  7. Add tags, and add notes.

    The bookmarks preserve the specific row results, KQL query, and time range that generated the result.

  8. Select Create to add the bookmark to the hunt.

View bookmarks

  1. Navigate to the hunt's bookmark tab to view your bookmarks.

    Screenshot showing a bookmark with all its details and the hunts action menu open.

  2. Select a desired bookmark and perform the following actions:

    • Select entity links to view the corresponding UEBA entity page.
    • View raw results, tags, and notes.
    • Select View source query to see the source query in Log Analytics.
    • Select View bookmark logs to see the bookmark contents in the Log Analytics hunting bookmark table.
    • Select Investigate button to view the bookmark and related entities in the investigation graph.
    • Select the Edit button to update the tags, MITRE tactics and techniques, and notes.

Interact with entities

  1. Navigate to your hunt's Entities tab to view, search, and filter the entities contained in your hunt. This list is generated from the list of entities in the bookmarks. The Entities tab automatically resolves duplicated entries.

  2. Select entity names to visit the corresponding UEBA entity page.

  3. Right-click on the entity to take actions appropriate to the entity types, such as adding an IP address to TI or running an entity type specific playbook.

    Screenshot showing context menu for entities.

Add comments

Comments are an excellent place to collaborate with colleagues, preserve notes, and document findings.

  1. Select

  2. Type and format your comment in the edit box.

  3. Add a query result as a link for collaborators to quickly understand the context.

  4. Select the Comment button to apply your comments.

    Screenshot showing comment edit box with LA query as a link.

Create incidents

There are two choices for incident creation while hunting.

Option 1: Use bookmarks.

  1. Select a bookmark or bookmarks.

  2. Select the Incident actions button.

  3. Select Create new incident or Add to existing incident

    Screenshot showing incident actions menu from the bookmarks window.

    • For Create new incident, follow the guided steps. The bookmarks tab is prepopulated with your selected bookmarks.
    • For Add to existing incident, select the incident and select the Accept button.

Option 2: Use the hunts Actions.

  1. Select the hunts Actions menu > Create incident, and follow the guided steps.

    Screenshot showing hunts actions menu from the bookmarks window.

  2. During the Add bookmarks step, use the Add bookmark action to choose bookmarks from the hunt to add to the incident. You're limited to bookmarks that aren't assigned to an incident.

  3. After the incident is created, it will be linked under the Related incidents list for that hunt.

Update status

  1. When you captured enough evidence to validate or invalidate your hypothesis, update your hypothesis state.

    Screenshot shows hypothesis state menu selection.

  2. When all the actions associated with the hunt are complete, such as creating analytics rules, incidents, or adding indicators of compromise (IOCs) to TI, close out the hunt.

    Screenshot shows Hunt state menu selection.

These status updates are visible on the main Hunting page and are used to track metrics.

Track metrics

Track tangible results from hunting activity using the metrics bar in the Hunts tab. Metrics show the number of validated hypotheses, new incidents created, and new analytic rules created. Use these results to set goals or celebrate milestones of your hunting program.

Screenshot shows hunting metrics.

Next steps

In this article, you learned how to run a hunting investigation with the hunts feature in Microsoft Sentinel.

For more information, see: