7: Threat Hunting Flashcards
(16 cards)
What is threat hunting in Microsoft Sentinel?
It’s the process of proactively searching your log data for suspicious activity before alerts are triggered.
Where do you access hunting features in Sentinel?
Microsoft Sentinel > Threat Management > Hunting.
What are hunting queries?
Prewritten KQL queries designed to help analysts look for known attack patterns, anomalies, or suspicious behavior.
Who uses hunting queries?
Analysts, detection engineers, and threat hunters looking to explore data and uncover hidden threats.
What kinds of activity can hunting queries detect?
Suspicious logons, rare processes, encoded commands, signs of persistence, lateral movement, or exfiltration attempts.
How are hunting queries organized in Sentinel?
By MITRE ATT&CK tactics (e.g., Persistence, Privilege Escalation, Defense Evasion).
What can you do with the results of a hunting query?
Bookmark them, convert them into incidents, or use them to trigger automation.
Can you create your own hunting queries?
Yes, you can write or modify KQL queries based on your environment and threat model.
What’s the benefit of using built-in hunting queries?
They save time and provide vetted detection logic mapped to known threats.
Why is hunting important if you already have analytics rules?
Hunting catches threats that slip past automated detections and helps analysts stay ahead of attackers.
Are hunting queries the same as analytics rules?
No—analytics rules generate alerts automatically; hunting queries are run manually for proactive investigation.
Can I modify built-in hunting queries?
Yes, they’re fully editable and can be customized for your environment.
Can I schedule hunting queries to run automatically?
Not directly—but you can turn hunting logic into analytics rules to schedule it.
Can hunting queries use bookmarks or be linked to incidents?
Yes, results can be bookmarked, enriched, or used to create incidents manually.
Do hunting queries require special permissions?
You need permissions to view and run KQL queries in the workspace.
Can hunting be used in air-gapped or disconnected environments?
Yes, as long as the logs are ingested into the Sentinel workspace, you can run hunting queries.
