How do I Start Threat Hunting with Microsoft Sentinel?

In today’s post we explore getting started with KQL for threat hunting and some common scenarios and queries that will help get you started. Let’s dive in together into the the mysterious world of looking for threats and discovering potential threats in your environment!

Intro

In the ever-evolving landscape of cybersecurity, threat hunting has emerged as a proactive approach to detect and mitigate potential threats before they can cause significant harm. Microsoft Sentinel, a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution, provides an advanced threat hunting framework that empowers security teams to identify, investigate, and eliminate threats across their digital estate.

Proactive Threat Hunting & Leveraging Advanced Analytics

Sentinel’s threat hunting capabilities are built on the foundation of proactive security. Instead of waiting for alerts to trigger investigations, Sentinel enables security teams to proactively search for signs of compromise, leveraging vast amounts of data from various sources. This proactive approach allows for the early detection of advanced threats that might otherwise go unnoticed, thereby reducing the potential impact on the organization.

Sentinel’s threat hunting is powered by advanced analytics and Microsoft’s decades of security experience. It uses machine learning, state-of-the-art AI, and both built-in and custom queries to sift through large volumes of data. This robust analytical capability allows for the identification of complex attack patterns and subtle anomalies that could indicate a security breach.

One of the key strengths of Microsoft Sentinel is its seamless integration with other tools and platforms, including Microsoft 365 Defender, Defender for Cloud, and third-party solutions. This integration provides a unified view of the entire digital estate, making it easier to correlate events and detect threats.

Collaboration

Sentinel promotes collaboration within security teams by providing shared dashboards, allowing for collective analysis and faster response times. You can also share queries and other resources between team members easily, save updates within incidents, and more!

Be a good team member when working within your SOC and update everything with comments! It is always helpful to share what’s been done with an investigation to save your team-mates time and energy repeating work that was already completed. This is 100% a pro tip!

Where To Dig In?

1. Sign in to the Azure portal: Open your web browser and navigate to the Azure portal at https://portal.azure.com . Sign in with your Microsoft account credentials.
2. Navigate to Microsoft Sentinel: On the left-hand side menu, click on “All services”. In the search box, type “Microsoft Sentinel” and select it from the dropdown list.
3. Select your workspace: If you have multiple workspaces, select the one you want to use for threat hunting.
4. Go to the Hunting page: On the Microsoft Sentinel overview page, click on “Hunting” in the left-hand side menu.
5. Explore the hunting queries: You’ll see a list of built-in hunting queries provided by Microsoft. These queries are designed to help you proactively hunt for security threats. You can click on any query to view more details.
6. Some KQL Queries to get Started: Check out some queries that I use regularly while threat hunting in various types of environments. This should get you rolling and start building some ideas on how to use your own threat hunting hypothesis to help you narrow down that needle in the haystack!
7. Run a hunting query: To run a query, click on the “Run Query” button next to the query you’re interested in. The results will be displayed at the bottom of the page.
8. Investigate the results: If the query returns any results, you can click on each result to investigate further. This will take you to the “Investigation” page where you can view more details about the potential threat.
9. Create a custom query: If you want to create your own hunting query, click on the “+ New Query” button at the top of the Hunting page. This will open a new page where you can write and run your custom query. This is where you would use the queries I’ve listed below for you!

Remember, threat hunting is a proactive process. Regularly running and reviewing the results of your hunting queries is key to identifying potential threats before they can cause harm.

Some KQL Queries to get Started

1. Uncommon Processes:
   • KQL Query:
SecurityEvent
| where EventID == 4688
| summarize Count = count() by NewProcessName
| where Count < 10
| project NewProcessName
2. DNS Anomalies:
   • KQL Query:
     Heartbeat
| where IsDNS == true
| summarize Count = count() by Computer, RemoteIPCountry
| where Count > 100
| project Computer, RemoteIPCountry
3. Account Enumeration:
   • KQL Query:
   • SecurityEvent
| where EventID == 4625
| summarize Count = count() by Account
| where Count > 10
| project Account
4. Lateral Movement:
   • KQL Query:
   • SecurityEvent
| where EventID == 4624 and LogonType == 3
| summarize Count = count() by Computer, Account
| where Count > 5
| project Computer, Account
5. Suspicious PowerShell Usage:
   • KQL Query:
   • SecurityEvent
| where EventID == 4104 and CommandLine contains "powershell"
| project Computer, Account, CommandLine
6. Failed Logins with High Frequency:
   • KQL Query:
   • SecurityEvent
| where EventID == 4625 and Status == "0xC000006D"
| summarize Count = count() by Account
| where Count > 20
| project Account
7. Abnormal User Behavior:
   • KQL Query:
   • SecurityEvent
| where EventID == 4624 and LogonType == 2
| summarize Count = count() by Account
| where Count > 50
| project Account
8. Suspicious Network Connections:
   • KQL Query:
   • NetworkCommunication
| where RemoteIPCountry in ("RU", "CN", "KP", "BR", "KR", "TH", "VN", "IN", "CU", "IR", "NG")
| summarize Count = count() by RemoteIPCountry, RemoteIP
| project RemoteIPCountry, RemoteIP
9. Privilege Escalation Attempts:
   • KQL Query:
   • SecurityEvent
| where EventID == 4673 and (Permission == "SeDebugPrivilege" or Permission == "SeTcbPrivilege")
| project Computer, Account, Permission
10. Malware Artifacts:
    • KQL Query:
    • FileIntegrityLog
| where ActionType == "FileCreated" and FolderPath contains "AppData"
| project Computer, FileName, FolderPath

Feel free to customize these queries based on your specific environment and use case.

I Want More!

If you are looking for additional guidance on starting your threat hunting passion, you can try starting right with Microsoft here: https://learn.microsoft.com/en-us/azure/sentinel/hunting.

Conclusion

In the face of increasingly sophisticated cyber threats, the need for proactive and advanced threat hunting has never been more critical. Sentinel stands at the forefront of this cybersecurity paradigm shift, offering a robust, scalable, and intelligent solution for organizations of all sizes. Its integration capabilities, advanced analytics, and emphasis on proactive threat hunting equip security teams with the necessary tools to stay ahead of threats.

By leveraging Sentinel, organizations can not only detect and respond to threats in real-time but also anticipate and mitigate potential threats, thereby safeguarding their digital estate and ensuring business continuity. As we continue to navigate the complex cybersecurity landscape, solutions like Sentinel will play an integral role in defining the future of digital security. Consider expanding your own capabilities by utilizing Security Copilot to answer questions, build queries, associate threat intelligence & more! Use the AI to do the complex tasks that take up your time, and to even help you build further automations to gain quick-wins on those easier repetitive tasks.

Happy threat hunting! 🕵️‍♂️🔍