Chapter 5


In the previous chapters, you have learned about authoring detection rules and how to triage and manage incidents. In this chapter, you will learn about hunting—threat hunting to be more specific. In the world of cybersecurity, threat hunting is about proactively searching for threats or a set of activities that you have not previously detected. This is the main difference between incident response (IR) and alert triage, where you are investigating a detection or an alert. The focus of this chapter is to learn about Microsoft Sentinel’s threat-hunting capabilities.

Understanding threat hunting

Typically, investigating an incident or an alert starts with the assumption of a true positive. Threat hunting starts with a hypothesis. ...

Get Microsoft Sentinel: Planning and implementing Microsoft's cloud-native SIEM solution, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.