Skip to content
hands-on lab

Advanced Threat Hunting in Microsoft Sentinel

Intermediate
Up to 1h
451
4.7/5
Start lab
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

Microsoft Sentinel (previously, Azure Sentinel) is a cloud-based SIEM (security information event management) solution that offers advanced intelligence tools across the organizations to secure the cloud and on-premises resources. The core offering of the Azure Sentinel revolves around collecting data at scale while detecting the threat in real-time using artificial intelligence to hunt the suspicious activities, ultimately performing actions to either remediate based on the preconfigured actions or provide a response plan to the security teams in an organization.

Threat Hunting is part of the security operation lifecycle that focus on proactively capturing threats, investigating existing threat using queries, and performing changes to adapt to reduce the previous security incidents by enhancing the analytics and threat capture monitors. The pre-created queries provided by Microsoft are grouped by MITRE ATT&CK framework and tactics that let you easily use and repurpose the queries based on your organization's needs.

In this hands-on lab, you will understand how to use the Hunting dashboard to capture threats, create bookmarks and generate incidents in Microsoft Sentinel.

Learning Objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Use Hunting service in Microsoft Sentinel
  • Understand Custom Queries and collect results queries
  • Understand and create Bookmarks for query results
  • Promote bookmarks to create Incidents in Microsoft Sentinel

Intended Audience

  • Candidates for Azure Security Engineer (AZ-500)
  • Cloud Architects
  • Data Engineers
  • DevOps Engineers
  • Software Engineers

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Azure Log Analytics
  • Azure Sentinel

The following content can be used to fulfill the prerequisite:

Updates

January 31st, 2024 - Updated screenshots and instructions due to UI changes

October 3rd, 2022 - Updated screenshots and instructions due to UI changes

Environment before
Environment after
About the author
Avatar
Parveen Singh, opens in a new tab
Cloud Lab Developer
Students
14,591
Labs
95
Courses
1
Learning paths
3

Parveen is an Azure advocate with previous experience in the professional consulting services industries. He specializes in infrastructure and DevOps with a wide range of knowledge in security and access management. He is also an Azure Certified - DevOps Engineer Expert, Security Engineer, Developer Associate, Administrator Associate, CompTIA Certified - Network+, Security+, and AWS Cloud Practitioner.
Parveen enjoys writing about cloud technologies and sharing the knowledge with the community to help students upskill in the cloud.

Covered topics
Security
Microsoft Azure
Security for Azure
Azure Sentinel
Lab steps
Logging in to the Microsoft Azure Portal
Running Custom Queries to Hunt for Threats
Generating Incident from the Sentinel Query Bookmarks