Azure Sentinel Threat Hunting


Azure Sentinel Threat Hunting allows Security professionals to proactively identify potential threats that have gone unnoticed through analytics rules. Sentinel provides this ability in a tab in the Azure portal called ‘hunting’. These queries are built using the KQL language and can be run at any time on an ad hoc basis using the ‘Run all queries’ feature provided. By running all queries it will return the number outliers found when the query ran against the logs in the workspace or workspaces if the query has been configured this way.

Cyber threat hunting is an active cyber defence activity. It is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.

Prebuilt Hunting rules

Currently Azure Sentinel Threat Hunting provides 173 ‘out of the box’ rules which cover the majority of data connectors that are prebuilt. All of the prebuilt rules cannot be deleted but can be edited and are mapped to the MITRE Framework. There are additional hunting queries that can be used which are published on the Azure Sentinel GitHub repository.

Building a Hunting Query

Much like analytic rules, hunting queries can be built using the Azure portal or by deploying rules using the API endpoint. The following configuration changes can be made to the queries.

  • Hunting Query Name (Required)
  • Description
  • Custom Query (Required)
  • Entity Mapping – The entities in an alert that should be used to group multiple alerts into an incident and will improve further analysis. Possible options are; User account (Account), HostIP address (IP), Malware, File Process, Cloud application (CloudApplication), Domain name (DNS), Azure resource, File (FileHash), Registry key, Registry value, Security group, URL, IoT device, Mailbox, Mail cluster, Mail message and Submission mail.
  • Tactics – Directly correlated to the MITRE framework these tactics should align to the stage of an attack. Possible options are; Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence and PrivilegeEscalation.


Bookmarks is Microsoft’s answer to helping Security Professionals save critical queries and results while performing a threat hunt. During an investigation or hunt when you have found valuable logs that should be saved for later or shared to others you are able to save these logs as a Sentinel Bookmark. By saving the query it will mean that not only the query is saved but the logs as well, additional notes and tags can be added to this bookmark which is visible to both yourself and teammates for enhanced collaboration.


Azure Sentinel comes built with ‘Livestreams’, these ‘livestreams’ allow you to build analytic rules and test these rules without implementing them as analytic rules. When a livestream is created it will alert of the events as if it was an analytic rule and once tuned can easily be moved to be an analytic rule by a few clicks in the Azure Portal. These alerts allow Security professionals to easily launch investigations which can then be used to monitor activity from a specific asset as it is fed into the Azure Analytics Workspace.

For more detail on Azure Sentinel check out the other blog pages below and the Sentinel GitHub repository which contains a list of hunting queries including many currently not implemented in Azure Sentinel.