10.12 Module Summary

Module 10 Summary: Perform Threat Hunting in Microsoft Sentinel

What you learned in this module

This module built the proactive hunting layer that complements the automated detection from Module 9. Together, Modules 9 and 10 provide comprehensive threat coverage: detection catches the 80% of threats that match known patterns, hunting finds the 20% that evade detection.

Subsection 10.1 — Threat Hunting Concepts and Methodology. Detection vs hunting. The three approaches: hypothesis-driven (test a theory), indicator-driven (search for IOCs), and analytics-driven (explore for anomalies). The hunting cycle: hypothesise → query → analyse → document → improve detection → close.

Subsection 10.2 — The Sentinel Hunting Experience. The Hunting blade: query management, MITRE ATT&CK mapping, result tracking, and built-in query library. Creating and managing custom queries. Filtering by data source and ATT&CK tactic. The unified hunting surface in the Defender portal.

Subsection 10.3 — Writing Effective Hunting Queries. Six KQL hunting patterns: rare event discovery, statistical outlier detection, first-time occurrence, temporal anomaly, cross-table correlation, and stacking. Each pattern targets a different category of threat behaviour.

Subsection 10.4 — Hypothesis-Driven Hunting. Formulating hypotheses with four components (what, why, where, how). Testing hypotheses with KQL. The hypothesis testing workflow. Documenting hunts with the hunt record template. The value of negative findings.

Subsection 10.5 — Hunting Bookmarks and Evidence Collection. Creating bookmarks from hunting results. Entity mapping in bookmarks. Promoting bookmarks to incidents. Bookmark lifecycle and evidence chain best practices.

Subsection 10.6 — Livestream: Real-Time Hunting. Continuous query monitoring during active hunts and investigations. Livestream vs NRT rules vs scheduled rules. Promoting Livestream queries to permanent detection rules.

Subsection 10.7 — Search Jobs and Archived Data. Hunting against Archive tier data. Search job creation, management, and result analysis. The _SRCH results table. Cost considerations for archived data scanning.

Subsection 10.8 — Hunt Management and Collaboration. Structured hunt tracking with the hunt management workflow. The hunt log and monthly hunt metrics. Pair hunting and hunt handover. Cross-team intelligence sharing.

Subsection 10.9 — MITRE ATT&CK-Driven Hunting. Systematic technique identification, coverage checking, prioritisation, and gap-driven hunting. Hunting queries mapped to high-priority ATT&CK techniques. The ATT&CK hunting coverage tracker.

Subsection 10.10 — Hunting with Notebooks. Jupyter notebooks for advanced analysis: network graphs, time series decomposition, machine learning. MSTICPy library. When notebooks add value vs standard KQL. Content Hub notebook templates.

Subsection 10.11 — Building a Hunting Programme. Programme components: cadence, hypothesis backlog, query library, hunt log, and detection integration. Solo operator cadence. Programme effectiveness metrics. The hunting-detection feedback loop.

SC-200 exam objectives covered

Domain 4 — Manage Security Threats (15-20%): Explain threat hunting concepts. Perform threat hunting using the Microsoft Sentinel portal. Hunt for threats using bookmarks. Hunt for threats using Livestream. Use search jobs in Microsoft Sentinel. Hunt for threats using notebooks.

Skills checklist

Explain the difference between detection and hunting. Describe the three hunting approaches. Follow the hunting cycle from hypothesis to closure. Navigate the Sentinel Hunting blade and manage hunting queries. Write hunting queries using all six patterns (rare events, outliers, first-time, temporal, cross-table, stacking). Formulate testable hunting hypotheses with four components. Create, manage, and promote bookmarks. Use Livestream for real-time monitoring during active hunts. Create and manage search jobs for archived data hunting. Track hunts with the hunt management workflow. Conduct MITRE ATT&CK-driven hunts against coverage gaps. Use notebooks for advanced analysis when KQL is insufficient. Build a hunting programme with cadence, backlog, and detection integration.

What comes next

Modules 7-10 complete the core Sentinel operational capability. The remaining modules in this course cover advanced investigation scenarios that apply everything you have learned: Module 11 (AiTM credential phishing investigation), Module 12 (BEC investigation), Module 13 (token replay investigation), Module 14 (IR reporting), and Module 15 (detection engineering portfolio). These modules are where the techniques from Modules 1-10 come together in realistic, end-to-end investigation scenarios drawn from real-world experience.

The complete Sentinel operational model

Workspace (M7) → Data (M8) → Detection (M9) → Hunting (M10). These four modules, applied together, provide: a properly configured workspace with health monitoring and governance, comprehensive data coverage across identity, endpoint, email, network, and custom sources, automated detection with analytics rules covering known threat patterns, proactive hunting for unknown threats that bypass detection, automated response through playbooks and automation rules, operational visibility through workbooks and dashboards, behavioural analysis through UEBA, cross-vendor normalisation through ASIM, and continuous improvement through the detection engineering lifecycle fed by hunting findings.

This is a world-class security operations capability — built on Sentinel, operated by you.