Blog Post

Microsoft Sentinel Blog
3 MIN READ

What's New in Sentinel Threat Hunting

JulianGonzalez's avatar
JulianGonzalez
Icon for Microsoft rankMicrosoft
Oct 13, 2022

Special thanks to BenNickChi_Nguyen, and AdiBiran who contributed to this article. 

 

Sophisticated attackers can spend months lurking in an environment before being detected. To counter this, threat hunting capabilities must support proactive threat hunting and search across long time periods to discover and analyze threats over months or even years from when the event occurred.  For this reason, we keep making investments to not only make threat hunting easier and more productive, but also providing new low-cost ingestion and retention options to help analysts collect and store data they will inevitably need for their threat hunts. We are excited to share these threat hunting updates that will enable our customers to store more data, be more proactive, and ultimately do more with fewer resources.

 

Be sure to check out the corresponding announcement from Azure Monitor team. 

 

Enjoy!

The Sentinel Threat Hunting Team

 

General Availability (GA) of new Threat Hunting capabilities:

 

Archived Logs and Basic Log plans. Archived logs enable expanded low-cost log retention for up to 7 years. Basic Logs enables log ingestion at a lower price for high volume, low value logs. See here for more information on pricing. Enabling these new log plans is also now available (Settings > Workspace Settings > Tables). (Learn more)

 

 

Asynchronous search across massive data sets. Search jobs are now available in the Logs interactive query interface for performing asynchronous, long-running searches across massive log volumes across all log data plans including Analytics, Basic, and Archive.  (Learn more

 

 

Restore archived logs with Sentinel Search. For scenarios that require full interactive KQL functionality for log events that are currently archived, use Log Restore. From within the new Sentinel Search experience, pick a table and a date range to enable fully functional, high performance KQL queries. (Learn more)

 

 

Customized Sentinel hunting queries with MITRE ATT&CK®. Identify gaps in and strengthen your threat hunting program by applying MITRE ATT&CK® tactics and techniques to your custom threat hunting queries. (Learn more)

 

 

Expanded entity support with hunting queries. Map entity types such as file hash or mailbox within your hunting queries. Any bookmarks created from these hunting queries can be explored in the Entity, Incident, and/or Investigation graph user experiences. (Learn more)

 

 

Azure Data Explorer (ADX) queries with hunting queries. Use Azure Data Explorer (ADX) queries from within the Sentinel Hunting and Livestream user experiences.  (Learn more about ADX queries from Log Analytics)

 

 

Upcoming Threat Hunting capabilities in Preview

 

Over the next several days, these new capabilities will be rolling out to all regions in Preview!

 

Advanced KQL editor for Sentinel Search jobs. An advanced KQL editor for creating search jobs which supports operators such as project, parse, extend, etc. (Learn more about the supported KQL operators)

 

 

 

One-click bookmarks in Sentinel Search results. Recording contextual observations for later reference is now made easier with one-click bookmarks. By bookmarking results returned by Sentinel Search, users can save, tag, and annotate events to revisit and investigate as part of a larger incident or threat hunt. (Learn more)

 

 

Non-KQL result filtering of Sentinel Search results. Use simple UI filters to accelerate analyst productivity. Filters automatically populate with filterable values. (Learn more)

 

 

Coming Soon!

 

Federated Search with Azure Data Lake. Search event data for in Azure Data Lake gen2 (ADLS v2) using the Sentinel Search UI. Perform searches across high volume log data stored in a separate data lake at massive scale. Sentinel Search automatically imports the search results back into Sentinel to enable correlation of high-volume log data (such as firewall logs or threat intelligence data) within the data lake with Sentinel data for use in investigation, hunting, and reporting scenarios.

 

The private preview will be based on sign-up basis. Please make sure to sign up via this form: https://aka.ms/searchOverAdlsSignup.

 

 

 

 

 

 

Learn more

Microsoft is committed to empowering our customers with modern security tools and platforms to enable critical protection for your organization and users. To learn more about Microsoft Sentinel capabilities and new announcements see:

  1. Microsoft Sentinel: https://aka.ms/microsoftsentinel
  2. Ignite Announcement: Microsoft Sentinel: What's New at Microsoft Ignite
  3. Blogs: Microsoft Sentinel Blog - Microsoft Tech Community

 

 

Updated Oct 13, 2022
Version 3.0
data collection
data retention
investigation
threat hunting
what's new
No CommentsBe the first to comment