This chapter covers threat hunting in Microsoft Sentinel, a critical skill for security operations and a key topic in the AZ-500 exam (Objective 4.2). Threat hunting is the proactive search for malicious activity that may evade traditional detection. Approximately 10-15% of AZ-500 exam questions touch on Sentinel capabilities, especially hunting queries, analytics rules, and incident management. Mastering these concepts will help you identify threats before they cause damage.
Jump to a section
Imagine you are the head of a detective agency responsible for protecting a large corporate campus. Your agency (Microsoft Sentinel) receives tips from various sources: security cameras (Azure resources), badge readers (identity logs), phone calls (network traffic), and employee reports (endpoint alerts). Each tip is a piece of raw data that could indicate a crime. However, most tips are false alarms—someone left a door open, a visitor got lost, etc. Your job is to separate genuine threats from noise. You have a team of analysts (analytics rules) who look for specific patterns: for example, the same person entering three different buildings in five minutes (impossible speed) or a known criminal's car spotted in the parking lot (threat intelligence). When a pattern matches, the analyst escalates to you, and you open an incident—a case file that collects all related tips, assigns a severity, and tracks the investigation. But you can't read every tip manually; you need automated tools. So you create watchlists—lists of known suspicious employees or vehicles—and automatically flag any tip that matches. You also use hunting queries: proactive searches for unusual behavior, like an employee accessing the server room at 3 AM when they never work night shifts. If you find something suspicious, you create a new analytics rule to catch it next time. Your agency's effectiveness depends on how well you tune these rules, integrate data sources, and act on incidents. Sentinel is this detective agency, but for your Azure and hybrid environment.
What is Threat Hunting in Microsoft Sentinel?
Threat hunting is the process of proactively searching for signs of malicious activity within your environment, rather than waiting for alerts to fire. In Microsoft Sentinel, threat hunting is performed using hunting queries—Kusto Query Language (KQL) queries that search through your data for suspicious patterns. These queries can be run manually or scheduled to run automatically. The results are surfaced in the Hunting blade, where hunters can investigate, bookmark, and escalate findings to incidents.
Why Threat Hunting Exists
Traditional signature-based detection (e.g., antivirus, IDS) relies on known indicators of compromise (IOCs). Attackers constantly evolve, using new techniques, living-off-the-land binaries, and encryption to evade detection. Threat hunting fills the gap by looking for behaviors (e.g., anomalous logons, unusual data transfers) rather than static signatures. It also helps discover unknown threats, zero-day exploits, and insider threats.
How Threat Hunting Works in Sentinel
Sentinel provides a dedicated Hunting workspace with: - Built-in hunting queries: Microsoft provides over 100 pre-built queries covering common attack patterns (e.g., Pass-the-Hash, DCSync, data exfiltration). These are updated regularly based on threat intelligence. - Custom queries: You can write your own KQL queries to match your environment's specific risks. - Bookmarks: When a query returns interesting results, you can bookmark rows to preserve context (time range, entities, notes). Bookmarks can be grouped into investigations. - Livestream: A feature that runs a query continuously and alerts you when new results appear. This is useful for monitoring specific behaviors in near real-time. - Integration with analytics rules: Findings from hunting can be turned into new analytics rules to automatically detect similar activity in the future.
Key Components, Values, and Defaults
Hunting queries: Written in KQL, typically querying the SecurityEvent, SigninLogs, CommonSecurityLog, AzureActivity, and custom tables. Example:
let threshold = 5;
SigninLogs
| where TimeGenerated > ago(7d)
| summarize SigninCount = count() by UserPrincipalName, IPAddress
| where SigninCount > thresholdBookmarks: Each bookmark stores: TimeGenerated, Entities (e.g., user, IP, host), Notes, Tags, and a Query reference. Bookmarks are stored in the HuntingBookmark table.
Livestream: Runs a query every 5 minutes by default (configurable). Results are shown in a dedicated tab. If results exceed a threshold (default 1000), streaming pauses.
MITRE ATT&CK mapping: Each hunting query can be tagged with MITRE techniques (e.g., T1078 - Valid Accounts). This helps align hunting with the ATT&CK framework.
Incident creation: From a bookmark, you can create an incident directly. The incident inherits entities and timeline from the bookmark.
Configuration and Verification
To start hunting: 1. Navigate to Microsoft Sentinel > Your workspace > Threat Management > Hunting. 2. Review built-in queries; use filters for MITRE technique, data source, or status. 3. Run a query by clicking Run Query (or Run All Queries to run all at once). 4. Review results in the Results tab. Use the Bookmark button to save interesting rows. 5. To create a custom query, click New Query and write KQL. Test it in the Logs blade first. 6. For continuous monitoring, use Livestream: open a query, click Livestream, set the refresh interval (minimum 5 minutes).
Verification commands:
Check hunting query status: SentinelHuntingQuery table in Log Analytics.
List bookmarks: HuntingBookmark | take 10.
Check livestream runs: SentinelLivestreamRun table.
Interaction with Related Technologies
Azure Sentinel Analytics: Hunting queries can be converted to Scheduled analytics rules by clicking Create Analytics Rule from a query. This automates detection.
Azure Sentinel Workbooks: Hunting results can be visualized in custom workbooks using KQL.
Azure Sentinel Notebooks: For advanced hunting, Jupyter notebooks (with MSTICpy) allow machine learning and complex analysis.
Azure Sentinel UEBA: User and Entity Behavior Analytics (UEBA) provides peer baselines that hunting queries can leverage (e.g., BehaviorAnalytics table).
Threat Intelligence: TI indicators can be used in hunting queries via the ThreatIntelligenceIndicator table.
Best Practices
Tune queries: Start with broad queries, then narrow down using | where filters to reduce noise.
Use time ranges: Always limit with TimeGenerated > ago(7d) to improve performance.
Leverage watchlists: Use watchlists to store known good/bad entities (e.g., admin accounts, known malicious IPs) and reference them in queries.
Collaborate: Use bookmarks and notes to share findings with your team.
Automate: Convert repeatable hunts into analytics rules to detect future occurrences.
Exam-Relevant Numbers and Values
Default livestream interval: 5 minutes.
Maximum livestream results: 1000 before pause.
Bookmark retention: 90 days (in the HuntingBookmark table).
Number of built-in queries: Over 100, updated monthly.
MITRE ATT&CK version: v10+ supported.
KQL required: Yes, for custom queries.
Common Exam Scenarios
Given a scenario, select the correct hunting query: You may need to identify which KQL query finds a specific behavior (e.g., multiple failed logons from different IPs).
Bookmark vs. Livestream: Know when to use each. Bookmark for one-time findings; Livestream for continuous monitoring.
Convert hunting query to analytics rule: Understand the steps and that the rule can be scheduled (e.g., run every 5 minutes).
MITRE ATT&CK mapping: Questions may ask which technique a query detects.
Trap Patterns
Confusing hunting with detection: Hunting is proactive, not reactive. Detection is done by analytics rules. The exam tests this distinction.
Thinking bookmarks are permanent: Bookmarks expire after 90 days unless converted to incidents.
Assuming livestream is real-time: It refreshes every 5 minutes minimum, not instant.
Overlooking MITRE tags: Queries must be tagged to appear in MITRE ATT&CK filters.
Access the Hunting Blade
In Microsoft Sentinel, navigate to the 'Threat Management' section and select 'Hunting'. This opens the hunting workspace, which displays a list of all available hunting queries—both built-in and custom. You can filter queries by data source, MITRE ATT&CK technique, or status (e.g., 'My queries'). The interface also shows the number of results each query returned in the last 24 hours. This step is the entry point for all proactive threat hunting activities.
Run a Hunting Query
Select a query (e.g., 'Anomalous logon location') and click 'Run Query'. Sentinel executes the KQL query against your Log Analytics workspace. The query runs over the default time range (last 24 hours, configurable). Results appear in a table below. You can sort, filter, and export results. If the query returns too many rows (e.g., >10,000), you may need to refine it. Running multiple queries simultaneously is possible, but performance may degrade.
Bookmark Interesting Results
When you find a suspicious row (e.g., a user logging in from an unusual country), select the row and click 'Bookmark'. A dialog appears where you can add notes, tags, and assign entities (user, IP, host). The bookmark is saved to the `HuntingBookmark` table. Bookmarks preserve the exact time range and query context. You can later view all bookmarks in the 'Bookmarks' tab. Bookmarks are not automatically escalated; they require manual action.
Investigate Using Entities
From a bookmark, you can launch an investigation by clicking 'Investigate'. This opens a graphical investigation canvas showing entities (e.g., user, IP) and related events. You can expand the graph to see connected alerts, anomalies, and other bookmarks. This helps you understand the scope of a potential threat. You can also add new entities or events to the graph. The investigation canvas is powered by Sentinel's entity behavior analytics.
Create Incident from Bookmark
If the investigation confirms malicious activity, click 'Create Incident' from the bookmark. This creates a new incident in Sentinel with the bookmark's entities, timeline, and notes. The incident is assigned a severity (default: Medium) and can be assigned to an analyst. Creating an incident from a bookmark ensures that the hunting finding is tracked and remediated. The bookmark remains but is linked to the incident.
Enterprise Scenario 1: Detecting Lateral Movement
A large financial institution uses Sentinel to hunt for lateral movement. They have domain controllers, workstations, and servers sending Windows Security Events to Sentinel. The security team runs a built-in hunting query called 'Pass-the-Hash' that searches for Event ID 4624 (logon) with LogonType 3 (network) and a specific pattern of account usage. One analyst notices a bookmark: a service account logged into a workstation, then seconds later from a different workstation. The analyst investigates and finds the account was compromised. They create an incident and block the account. To prevent future occurrences, they convert the query into a scheduled analytics rule that runs every 5 minutes and alerts the SOC. This rule now detects similar lateral movement automatically.
Enterprise Scenario 2: Insider Threat – Data Exfiltration
A healthcare organization uses Sentinel to hunt for insider threats. They have Office 365 logs (SharePoint, OneDrive) and Azure Information Protection labels. The hunting team runs a custom query that looks for users downloading large numbers of files from SharePoint to a personal device (UserAgent contains 'Microsoft Office' and file count > 100 in 1 hour). One analyst finds a user who downloaded 500 patient records. They bookmark the event, investigate the user's activity (using UEBA), and discover the user also accessed the HR system unusually. The analyst creates an incident and escalates to HR. The organization then creates a watchlist of high-risk users and a livestream query to monitor their activity continuously.
Common Misconfigurations
Overly broad queries: Running a query without a time filter can scan terabytes of data and time out. Always use | where TimeGenerated > ago(<period>).
Ignoring performance: Hunting queries run against the same Log Analytics cluster as analytics rules. Heavy queries can impact detection latency. Schedule heavy queries during off-peak hours.
Not using bookmarks: Analysts often forget to bookmark findings, losing context. Train analysts to bookmark immediately.
Failing to convert to rules: After a successful hunt, many teams do not create analytics rules, missing the chance to automate detection.
Scale and Performance
In large environments (100+ GB/day), running all built-in queries simultaneously can take hours. Best practice: run queries in batches, prioritize by MITRE technique, and use livestream only for critical queries. Sentinel's hunting infrastructure is designed to handle large volumes, but queries should be optimized (e.g., use project to reduce columns, use summarize early).
What AZ-500 Tests on Threat Hunting (Objective 4.2)
The AZ-500 exam expects you to:
Understand the purpose of threat hunting vs. detection.
Know how to access and use the Hunting blade.
Differentiate between bookmarks, livestream, and analytics rules.
Identify the correct KQL query for a given scenario (basic syntax).
Know how to convert a hunting query into an analytics rule.
Understand MITRE ATT&CK mapping and its use in filtering.
Common Wrong Answers and Why Candidates Choose Them
Confusing hunting with alerting: A question asks 'What should you use to proactively search for threats?' Wrong answer: 'Analytics rules'. Candidates think analytics rules are proactive, but they are reactive. Correct: 'Hunting queries'.
Thinking bookmarks are permanent: A scenario says 'You need to preserve findings for 6 months.' Wrong answer: 'Use bookmarks'. Bookmarks expire after 90 days. Correct: 'Create an incident from the bookmark' (incidents are retained per retention policy, often years).
Assuming livestream is real-time: A question asks 'Which feature provides continuous monitoring?' Wrong answer: 'Hunting queries'. Candidates may not know livestream exists. Correct: 'Livestream' (but note it refreshes every 5 minutes).
Misunderstanding MITRE ATT&CK: A question asks 'How do you filter queries by attack technique?' Wrong answer: 'By data source'. Correct: 'By MITRE ATT&CK technique tag'.
Specific Numbers and Terms to Memorize
Bookmark retention: 90 days.
Livestream refresh: 5 minutes.
Built-in queries: Over 100.
KQL: Must know basic operators: | where, | summarize, | extend, | project.
MITRE ATT&CK: Version 10+.
Tables: SigninLogs, SecurityEvent, CommonSecurityLog, AzureActivity, HuntingBookmark.
Edge Cases and Exceptions
Bookmarks can be deleted manually: Even though they auto-expire after 90 days, an admin can delete them earlier.
Livestream pauses: If results exceed 1000, streaming pauses until the next refresh.
Custom queries require KQL: The exam may present a KQL snippet and ask what it does.
Converting to analytics rule: The rule type must be 'Scheduled' (not 'Microsoft Security' or 'Fusion').
How to Eliminate Wrong Answers
If an answer mentions 'real-time' or 'instant', it is likely wrong for livestream (5 min delay).
If an answer says 'automatically detect', it refers to analytics rules, not hunting.
If an answer says 'store findings indefinitely', it is wrong for bookmarks (90 days).
If an answer mentions 'machine learning', it is likely about UEBA or Fusion, not basic hunting.
Threat hunting is proactive; analytics rules are reactive.
Use the Hunting blade in Sentinel to run KQL queries.
Bookmark findings to preserve context; bookmarks expire after 90 days.
Livestream runs a query every 5 minutes (minimum) for continuous monitoring.
Convert hunting queries to scheduled analytics rules for automated detection.
MITRE ATT&CK tags help filter queries by technique.
Always use time filters in hunting queries to improve performance.
These come up on the exam all the time. Here's how to tell them apart.
Hunting Queries
Proactive search – analyst initiates
Can be run manually or scheduled as livestream
Results are bookmarked or investigated manually
No automatic alerting or incident creation
Used for ad-hoc discovery of unknown threats
Analytics Rules
Reactive detection – system triggers automatically
Runs on a schedule (e.g., every 5 minutes)
Results automatically create alerts and incidents
Generates security incidents with severity
Used for continuous monitoring of known patterns
Mistake
Threat hunting replaces analytics rules.
Correct
Threat hunting complements analytics rules. Hunting is proactive and manual; analytics rules are automated detection. Both are needed for defense.
Mistake
Bookmarks are saved forever.
Correct
Bookmarks are retained for 90 days in the HuntingBookmark table. To preserve longer, create an incident from the bookmark.
Mistake
Livestream provides real-time alerts.
Correct
Livestream refreshes every 5 minutes by default (minimum). It is near real-time, not instant.
Mistake
Only built-in queries can be used for hunting.
Correct
You can create custom KQL queries. Built-in queries are a starting point.
Mistake
Hunting queries do not affect performance.
Correct
Heavy queries can consume Log Analytics resources and impact other operations. Optimize with time filters and projections.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A hunting query is a one-time KQL query you run manually. A livestream runs the same query continuously, refreshing every 5 minutes by default, and displays new results as they come in. Use hunting queries for ad-hoc investigation; use livestream for continuous monitoring of specific patterns.
Bookmarks are retained for 90 days in the HuntingBookmark table. After that, they are automatically deleted. To keep findings longer, create an incident from the bookmark, as incidents are retained according to your workspace retention policy (typically 90 days to 2 years).
Yes. After running a hunting query and seeing valuable results, you can click 'Create Analytics Rule' from the query blade. This opens a wizard to configure a scheduled rule that runs the query automatically and creates alerts. This is a key way to automate detection of newly discovered threats.
The default refresh interval is 5 minutes. You can configure it to a longer interval, but the minimum is 5 minutes. If the query returns more than 1000 results, livestream pauses until the next refresh cycle.
Each hunting query can be tagged with one or more MITRE ATT&CK techniques (e.g., T1078 - Valid Accounts). This allows you to filter queries by technique in the Hunting blade. When you run a query, you can see which techniques it maps to, helping align hunting with the ATT&CK framework.
Yes, basic KQL knowledge is tested. You should be able to read simple queries with `where`, `summarize`, `project`, and `extend`. The exam may present a KQL snippet and ask what it does or which query to use for a given scenario.
Common tables include `SigninLogs` (Azure AD sign-ins), `SecurityEvent` (Windows events), `CommonSecurityLog` (third-party appliances), `AzureActivity` (Azure resource logs), `OfficeActivity` (Office 365 logs), and `HuntingBookmark` (bookmark metadata).
You've just covered Threat Hunting in Microsoft Sentinel — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?