11.12 Module Summary

Module 11 Summary: Perform Threat Hunting in Microsoft Sentinel

What you learned in this module

This module built the proactive hunting layer that complements the automated detection from Module 10. Together, Modules 9 and 10 provide comprehensive threat coverage: detection catches the 80% of threats that match known patterns, hunting finds the 20% that evade detection.

Subsection 10.1 — Threat Hunting Concepts and Methodology. Detection vs hunting. The three approaches: hypothesis-driven (test a theory), indicator-driven (search for IOCs), and analytics-driven (explore for anomalies). The hunting cycle: hypothesise → query → analyse → document → improve detection → close.

Subsection 10.2 — The Sentinel Hunting Experience. The Hunting blade: query management, MITRE ATT&CK mapping, result tracking, and built-in query library. Creating and managing custom queries. Filtering by data source and ATT&CK tactic. The unified hunting surface in the Defender portal.

Subsection 10.3 — Writing Effective Hunting Queries. Six KQL hunting patterns: rare event discovery, statistical outlier detection, first-time occurrence, temporal anomaly, cross-table correlation, and stacking. Each pattern targets a different category of threat behaviour.

Subsection 10.4 — Hypothesis-Driven Hunting. Formulating hypotheses with four components (what, why, where, how). Testing hypotheses with KQL. The hypothesis testing workflow. Documenting hunts with the hunt record template. The value of negative findings.

Subsection 10.5 — Hunting Bookmarks and Evidence Collection. Creating bookmarks from hunting results. Entity mapping in bookmarks. Promoting bookmarks to incidents. Bookmark lifecycle and evidence chain best practices.

Subsection 10.6 — Livestream: Real-Time Hunting. Continuous query monitoring during active hunts and investigations. Livestream vs NRT rules vs scheduled rules. Promoting Livestream queries to permanent detection rules.

Subsection 10.7 — Search Jobs and Archived Data. Hunting against Archive tier data. Search job creation, management, and result analysis. The _SRCH results table. Cost considerations for archived data scanning.

Subsection 10.8 — Hunt Management and Collaboration. Structured hunt tracking with the hunt management workflow. The hunt log and monthly hunt metrics. Pair hunting and hunt handover. Cross-team intelligence sharing.

Subsection 10.9 — MITRE ATT&CK-Driven Hunting. Systematic technique identification, coverage checking, prioritisation, and gap-driven hunting. Hunting queries mapped to high-priority ATT&CK techniques. The ATT&CK hunting coverage tracker.

Subsection 10.10 — Hunting with Notebooks. Jupyter notebooks for advanced analysis: network graphs, time series decomposition, machine learning. MSTICPy library. When notebooks add value vs standard KQL. Content Hub notebook templates.

Subsection 10.11 — Building a Hunting Programme. Programme components: cadence, hypothesis backlog, query library, hunt log, and detection integration. Solo operator cadence. Programme effectiveness metrics. The hunting-detection feedback loop.

SC-200 exam objectives covered

Domain 4 — Manage Security Threats (15-20%): Explain threat hunting concepts. Perform threat hunting using the Microsoft Sentinel portal. Hunt for threats using bookmarks. Hunt for threats using Livestream. Use search jobs in Microsoft Sentinel. Hunt for threats using notebooks.

Skills checklist

Explain the difference between detection and hunting. Describe the three hunting approaches. Follow the hunting cycle from hypothesis to closure. Navigate the Sentinel Hunting blade and manage hunting queries. Write hunting queries using all six patterns (rare events, outliers, first-time, temporal, cross-table, stacking). Formulate testable hunting hypotheses with four components. Create, manage, and promote bookmarks. Use Livestream for real-time monitoring during active hunts. Create and manage search jobs for archived data hunting. Track hunts with the hunt management workflow. Conduct MITRE ATT&CK-driven hunts against coverage gaps. Use notebooks for advanced analysis when KQL is insufficient. Build a hunting programme with cadence, backlog, and detection integration.

What comes next

Modules 7-10 complete the core Sentinel operational capability. The remaining modules apply everything you have learned to realistic, end-to-end investigation scenarios: Module 12 (AiTM credential phishing), Module 13 (BEC and financial fraud), Module 14 (token replay and session hijacking), Module 15 (consent phishing and OAuth grants), and Module 16 (insider threat). Each produces deployable artifacts — investigation playbooks, detection rules, containment checklists, and hardening guides.

Module 11 artifact inventory

You should have the following operational assets after completing this module:

Hunting query library. 8+ hunting query patterns (rare events, outliers, first-time, temporal, cross-table, stacking, DNS, process trees) saved as custom queries in the Sentinel Hunting blade. Each tagged with MITRE technique and data source.

Hypothesis backlog. A prioritised list of hunting hypotheses for your environment, drawn from the examples in subsection 11.4 (MFA fatigue, device registration, cloud account creation, service principal abuse) and your own environmental knowledge.

Hunt log template. From subsection 11.8 — ready to track your first hunts with: hunt ID, hypothesis, trigger, status, findings, and detection improvement.

MITRE ATT&CK coverage tracker. From subsection 11.9 — tracking which techniques have been hunted, when, and with what result. Your baseline for quarterly improvement measurement.

Livestream operational workflow. From subsection 11.6 — the real-time monitoring workflow you deploy during active incidents and investigations.

Departing employee watchlist specification. From the detection integration with Module 16 — the watchlist schema and the KQL rule that correlates departing employees with anomalous activity.

Hunting programme plan. From subsection 11.11 — the cadence, backlog, query library, and detection integration that turns ad-hoc hunting into a structured programme.

These assets — combined with the detection rules from Module 10 and the investigation playbooks from Modules 12-16 — form the complete operational toolkit the homepage promises.

The hunting-detection-investigation triad

Modules 7-10 build the platform and the detection/hunting capability. Modules 12-16 apply that capability to real investigation scenarios. The triad works as follows: Detection (Module 10) catches known threats automatically and creates incidents. Hunting (Module 11) finds unknown threats proactively and either creates incidents or creates new detection rules. Investigation (Modules 12-16) resolves incidents through structured analysis, containment, eradication, and reporting — and feeds findings back into both detection (new rules) and hunting (new hypotheses).

Every investigation you conduct in Modules 12-16 produces detection rules that strengthen Module 10 and hunting hypotheses that feed Module 11. The system is self-reinforcing: incidents make detection better, detection surfaces more incidents, hunting finds what detection misses, and hunting findings become new detections. Over time, the attacker’s window of undetected operation shrinks — and the SOC’s operational maturity compounds.

The complete Sentinel operational model

Workspace (M7) → Data (M8) → Detection (M10) → Hunting (M11). These four modules, applied together, provide: a properly configured workspace with health monitoring and governance, comprehensive data coverage across identity, endpoint, email, network, and custom sources, automated detection with analytics rules covering known threat patterns, proactive hunting for unknown threats that bypass detection, automated response through playbooks and automation rules, operational visibility through workbooks and dashboards, behavioural analysis through UEBA, cross-vendor normalisation through ASIM, and continuous improvement through the detection engineering lifecycle fed by hunting findings.

This is a world-class security operations capability — built on Sentinel, operated by you.