Scribd Logo
Upload

Welcome to Scribd!

  • SC 200T00A ENU PowerPoint 08

    Uploaded by

    wandi17001
    27 views24 pages
    This document provides an overview of threat hunting concepts and tools in Microsoft Sentinel. It discusses developing threat hunting hypotheses, exploring the MITRE ATT&CK framework, using queries and search jobs to hunt for threats, saving findings with bookmarks, observing threats over time with livestream, and creating notebooks to hunt for threats using external APIs and libraries.

    Original Description:

    Original Title

    SC-200T00A-ENU-PowerPoint-08

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of threat hunting concepts and tools in Microsoft Sentinel. It discusses developing threat hunting hypotheses, exploring the MITRE ATT&CK framework, using queries and search jobs to hunt for threats, saving findings with bookmarks, observing threats over time with livestream, and creating notebooks to hunt for threats using external APIs and libraries.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    27 views24 pages

    SC 200T00A ENU PowerPoint 08

    Uploaded by

    wandi17001
    This document provides an overview of threat hunting concepts and tools in Microsoft Sentinel. It discusses developing threat hunting hypotheses, exploring the MITRE ATT&CK framework, using queries and search jobs to hunt for threats, saving findings with bookmarks, observing threats over time with livestream, and creating notebooks to hunt for threats using external APIs and libraries.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    SC-200T00A

    Microsoft Security
    Operations Analyst
    Author name
    Date

    © Copyright Microsoft Corporation. All rights reserved.


    Learning Path 8:
    Perform threat hunting in
    Microsoft Sentinel

    © Copyright Microsoft Corporation. All rights reserved.


    Explain threat hunting concepts in Microsoft Sentinel

    Threat hunting with Microsoft Sentinel

    Agenda
    Use Search jobs in Microsoft Sentinel

    Hunt for threats using notebooks in Microsoft Sentinel

    © Copyright Microsoft Corporation. All rights reserved.


    Threat hunting concepts in Microsoft Sentinel
    Introduction
    After completing this module, you will be able to:

    Describe threat hunting concepts for use


    with Microsoft Sentinel

    Define a threat hunting hypothesis for use


    in Microsoft Sentinel
    Cybersecurity threat hunting

    © Copyright Microsoft Corporation. All rights reserved.


    Develop a threat hunting hypothesis

    1 Keep it achievable.

    2 Keep the scope narrow.

    3 Keep it time-bound.

    4 Keep it useful and efficient.

    5 Keep it related to the threat model that you are defending against.

    © Copyright Microsoft Corporation. All rights reserved.


    Explore MITRE ATT&CK

    © Copyright Microsoft Corporation. All rights reserved.


    Threat hunting with Microsoft Sentinel
    Introduction
    After completing this module, you will be able to:

    Use queries to hunt for threats

    Save key findings with bookmarks

    Observe threats over time with livestream


    Manage Microsoft Sentinel threat-hunting queries
    Create and
    run hunting
    queries to
    search for
    isolated
    security
    threats and
    unwanted
    activity.

    © Copyright Microsoft Corporation. All rights reserved.


    Save key findings with bookmarks
    Bookmarks in Microsoft Sentinel can help you hunt for threats by preserving the queries you
    ran in Microsoft Sentinel, along with the query results that you deem relevant.

    © Copyright Microsoft Corporation. All rights reserved.


    Observe threats over time with livestream
    You can use the hunting livestream to test queries against live events as they occur.
    Livestream provides interactive sessions that can notify you when Microsoft Sentinel finds
    matching events for your query.

    © Copyright Microsoft Corporation. All rights reserved.


    Use Search jobs in Microsoft Sentinel
    Introduction
    After completing this module, you will be able to:

    Hunt with a Search job in Microsoft Sentinel

    Restore historical data in Microsoft Sentinel


    Hunt with a Search job

    © Copyright Microsoft Corporation. All rights reserved.


    Restore historical data

    © Copyright Microsoft Corporation. All rights reserved.


    Hunt for threats using notebooks in Microsoft Sentinel
    Introduction
    After completing this module, you will be able to:

    Explore API libraries for advanced threat


    hunting in Microsoft Sentinel

    Describe notebooks in Microsoft Sentinel

    Create and use notebooks in Microsoft


    Sentinel
    Hunt with notebooks

    Playbooks Workbooks Notebooks

    Roles • SOC Engineers • SOC engineers • Threat hunters/Tier 2-3 analysts


    • Analysts of all tiers • Analysts of all tiers • Incident investigators
    • SOC managers • Cyber data scientists
    • Security researchers
    Uses Automation of simpler, Visualization • Querying Microsoft Sentinel & external
    repeatable tasks: data
    • Enrichment (TI, GeoIP, WhoIs lookups, etc.)
    • Ingestion – bring in • Investigation
    external data • Visualization
    • Enrichment (TI, • Hunting
    GeoIP lookups, etc.) • Machine Learning & big data analytics
    • Investigation
    • Remediation

    © Copyright Microsoft Corporation. All rights reserved.


    Access Microsoft Sentinel data with external tools
    The foundation of Microsoft Sentinel is the Log Analytics data store, which combines high-
    performance querying, dynamic schema, and scales to massive data volumes. The Azure
    portal and all Microsoft Sentinel tools use a standard API to access this data store. The
    same API is also available for external tools such as Python and PowerShell. There are
    multiple libraries that you can use to simplify API access

    Kqlmagic MSTICPy
    The Kqlmagic library provides an easy to Microsoft Threat Intelligence Python Security
    implement API wrapper to run KQL queries. Tools is a set of Python tools intended to be used
    for security investigations and hunting.

    Sentinel Community GitHub Python libraries


    Repository of community contributed tools. The same API is also available for external tools
    such as Jupyter notebooks and Python.

    © Copyright Microsoft Corporation. All rights reserved.


    Create a notebook

    Create a Notebook in Microsoft Sentinel Notebooks page

    Create a Jupyter Notebook with tools like Visual Studio Code

    © Copyright Microsoft Corporation. All rights reserved.


    Explore notebook code
    The following code blocks of the "Getting Started Guide For Microsoft Sentinel ML
    Notebooks" notebook provide a representative example of working with Microsoft Sentinel
    data.

    © Copyright Microsoft Corporation. All rights reserved.


    © Copyright Microsoft Corporation. All rights reserved.

    You might also like