Module 11: Perform Threat Hunting in Microsoft Sentinel

Module 10 built the automated detection layer — analytics rules that continuously evaluate data and create incidents when threat patterns appear. But analytics rules only detect what you explicitly define. An attacker who uses a novel technique, or a known technique in an unexpected way, can evade every rule in your library.

Threat hunting closes this gap. It is the proactive, analyst-driven search for threats that automated detection misses. Where analytics rules ask “has this specific pattern appeared?”, hunting asks “what is happening in my environment that I do not expect?” The hunter examines data without a predefined alert trigger, follows hypotheses based on threat intelligence, and discovers compromises that would otherwise remain undetected until the attacker achieves their objective.

The SC-200 exam allocates the “Manage Security Threats” domain (15-20%) to threat hunting. Questions test: hunting concepts and methodology, using the Sentinel hunting experience, bookmarks, Livestream, search jobs, and MITRE ATT&CK-based hunting.

What you will be able to do after completing this module

After completing this module, you will be able to explain the difference between detection and hunting and when each is appropriate. You will develop hypotheses based on threat intelligence and environmental knowledge. You will write hunting queries that surface anomalous and suspicious activity across all Sentinel data sources. You will use bookmarks to capture and preserve hunting evidence within the investigation workflow. You will deploy Livestream for real-time, continuous hunting on specific queries. You will run search jobs against archived data to hunt historical threats. You will manage hunts with structured tracking and collaboration. You will conduct MITRE ATT&CK-driven hunts that systematically close detection gaps. You will use Jupyter notebooks for advanced analysis. And you will build a recurring hunting programme that operates alongside automated detection.

How this module is structured

10.1 — Threat Hunting Concepts and Methodology. What hunting is, how it differs from detection, the three hunting approaches (hypothesis-driven, indicator-driven, analytics-driven), and the hunting cycle.

10.2 — The Sentinel Hunting Experience. The Hunting blade, built-in hunting queries, custom queries, and the hunting dashboard.

10.3 — Writing Effective Hunting Queries. KQL patterns for hunting: anomaly detection, rare event discovery, statistical outliers, temporal analysis, and cross-table correlation.

10.4 — Hypothesis-Driven Hunting. Formulating hypotheses from threat intelligence, testing hypotheses with KQL, and documenting results.

10.5 — Hunting Bookmarks and Evidence Collection. Creating, managing, and using bookmarks during hunts. Promoting bookmarks to incidents.

10.6 — Livestream: Real-Time Hunting. Continuous query monitoring for active hunts. When to use Livestream vs scheduled rules vs NRT rules.

10.7 — Search Jobs and Archived Data. Hunting against data in the Archive tier. Search job creation, management, and result analysis.

10.8 — Hunt Management and Collaboration. Tracking hunts, assigning tasks, documenting findings, and collaborating across the SOC.

10.9 — MITRE ATT&CK-Driven Hunting. Using the ATT&CK framework to systematically identify and hunt for specific techniques. Gap-driven hunting from the Module 10.11 coverage analysis.

10.10 — Hunting with Notebooks. Jupyter notebooks in Sentinel, MSTICPy library, advanced analysis techniques, and when notebooks add value over raw KQL.

10.11 — Building a Hunting Programme. Establishing cadence, allocating time, measuring effectiveness, and integrating hunting findings into the detection engineering lifecycle.

10.12 — Module Summary. Key takeaways, skills checklist, SC-200 exam objectives covered.

10.13 — Check My Knowledge. 20 scenario-based questions covering all subsections.

Sections in this module