Hunting in Microsoft's unified SecOps platform
Hunting for security threats is a highly customizable activity that is most effective when accomplished across all stages of threat hunting: proactive, reactive, and post incident. Microsoft's unified security operations (SecOps) platform provides effective hunting tools for every stage of threat hunting. These tools are well fit for analysts who are just starting out in their career, or experienced threat hunters using advanced hunting methods. Threat hunters of all levels benefit from hunting tool features that allow them to share their techniques, queries, and findings with their team along the way.
Hunting tools
The foundation of hunting queries in the Defender portal rests on Kusto Query Language (KQL). KQL is a powerful and flexible language that's optimized for searching through big-data stores in cloud environments. However, crafting complex queries isn't the only way to hunt for threats. Here are some more hunting tools and resources within the Defender portal designed to bring hunting into your reach:
- Security Copilot in advanced hunting generates KQL from natural language prompts.
- Guided hunting uses a query builder for crafting meaningful hunting queries without knowing KQL or the data schema.
- Get help as you write queries with features like autosuggest, schema tree, and sample queries.
- Content hub provides expert queries to match out-of-the-box solutions in Microsoft Sentinel.
- Microsoft Defender Experts for Hunting compliments even the best threat hunters that want assistance.
Maximize the full extent of your team's hunting prowess with the following hunting tools in the Defender portal:
| Hunting tool | Description |
|---|---|
| Advanced hunting | View and query data sources available within Microsoft's unified SecOps platform and share queries with your team. Use all your existing Microsoft Sentinel workspace content, including queries and functions. |
| Microsoft Sentinel hunting | Hunt for security threats across data sources. Use specialized search and query tools like hunts, bookmarks and livestream. |
| Go hunt | Quickly pivot an investigation to entities found within an incident. |
| Hunts | An end-to-end, proactive threat hunting process with collaboration features. |
| Bookmarks | Preserve queries and their results, adding notes and contextual observations. |
| Livestream | Start an interactive hunting session and use any Log Analytics query. |
| Hunting with summary rules | Use summary rules to save costs hunting for threats in verbose logs. |
| MITRE ATT&CK map | When creating a new hunting query, select specific tactics and techniques to apply. |
| Restore historical data | Restore data from archived logs to use in high performing queries. |
| Search large data sets | Search for specific events in logs up to seven years ago using KQL. |
| Infrastructure chaining | Hunt for new connections between threat actors, group similar attack activity and substantiate assumptions. |
| Threat explorer | Hunt for specialized threats related to email. |
Hunting stages
The following table describes how you can make the most of the Defender portal's hunting tools across all stages of threat hunting:
| Hunting stage | Hunting tools |
|---|---|
| Proactive - Find the weak areas in your environment before threat actors do. Detect suspicious activity extra early. | - Regularly conduct end-to-end hunts to proactively seek out undetected threats and malicious behaviors, validate hypotheses, and act on findings by creating new detections, incidents, or threat intelligence. - Use the MITRE ATT&CK map to identify detection gaps, and then run predefined hunting queries for highlighted techniques. - Insert new threat intelligence into proven queries to tune detections and confirm if a compromise is in process. - Take proactive steps to build and test queries against data from new or updated sources. - Use advanced hunting to find early-stage attacks or threats that don't have alerts. |
| Reactive - Use hunting tools during an active investigation. | - Use livestream to run specific queries at consistent intervals to actively monitor events. - Quickly pivot on incidents with the Go hunt button to search broadly for suspicious entities found during an investigation. - Hunt through threat intelligence to perform infrastructure chaining. - Use Security Copilot in advanced hunting to generate queries at machine speed and scale. |
| Post incident - Improve coverage and insights to prevent similar incidents from recurring. | - Turn successful hunting queries into new analytics and detection rules, or refine existing ones. - Restore historical data and search large datasets for specialized hunting as part of full incident investigations. |