Skip to content

Hunting

In any environment, security requires being proactive, in Sentinel you have analytic rules which will create incidents. Some of these incidents are quite obvious, like a user reporting a message as phish, or a using signing in from a new device. But what about less common threats or new threats? How do you find those, and more importantly, be proactive about it?

This is where Hunting in Sentinel can be beneficial. Most organizations face the same threats, but all organizations have different risk tolerances, cybersecurity maturity levels, and different resources they are protecting. The most obvious threats are already Defender incidents or analytic rules within Sentinel solutions. These solutions will also sometimes contain Hunting queries as well. By using these Hunting queries we can find those new threats, or unusual activities within our environment.

To get started simply run the hunting query and wait for the results to be returned, you can also run all hunting queries at once. You can compare the results of these queries overtime as well with the delta column. Maybe a particular hunt usually averages around 25 results a day and suddenly spikes to 200, that's likely something worth investigating.

Hunts tend to be searching for less malicious things that may be an IOC, they can also occur quite frequently, this is why these aren't analytic rules creating incidents for us by default. Depending on what you find you may actually turn a hunt into an analytic rule, but usually this comes after some further fine-tuning of the search criteria.

Custom query

Not all queries have to come from a content hub solution, you can create custom queries as well. These are great for keeping an eye on certain activities you are suspicious of but haven't risen to the level of being a confirmed threat.

Bookmarks

If you have been working with a hunting query and find something of particular interest, perhaps you need to discuss it with a team member later, or switch to a new task, you can bookmark your query and its results. These will be stored in the HuntingBookmark table and can be linked to an incident or be used to create a new incident.

Construction

Is HuntingBookmark billable?

Livestream

Another unique feature of Hunting is you can start of livestream using a hunt query. This allows you to test your theories in real time with streaming data, you don't have to sit on the livestream page waiting for an event to happen either, you will receive a notification in the Azure or Defender portal when a log matches you query.