Turning Threat Hunts into Repeatable Detections Using MITRE ATT&CK
Threat hunting in Microsoft Sentinel goes beyond relying on scheduled analytics rules. It’s about proactively asking better questions of your data to uncover stealthy or emerging attacker behavior before it turns into an incident. Effective hunting helps security teams spot activity that may never trigger an alert but still represents meaningful risk. Over time, these proactive hunts strengthen overall detection coverage and improve SOC maturity.
In this post, I’ll walk through five high‑value Sentinel hunting queries that security teams can use to uncover suspicious activity across identity, endpoints, and cloud resources. Each example focuses on why the hunt matters and what attacker behavior it can reveal. To make these hunts actionable and measurable, each query is explicitly mapped to MITRE ATT&CK tactics and techniques. This alignment helps teams communicate coverage, prioritize investigations, and evolve successful hunts into repeatable detections.
1. Rare Sign‑In Locations for Privileged Accounts
Why it matters
Privileged identities are prime targets. A successful sign‑in from an unusual geography may indicate compromised credentials or token theft.
What to hunt
Look for successful sign‑ins by privileged users from locations they rarely use.
// MITRE ATT&CK: T1078 (Valid Accounts), T1078.004 (Cloud Accounts) | Tactic: Initial Access
SigninLogs
| where ResultType == 0
| where UserPrincipalName has_any ("admin", "svc")
| summarize count() by UserPrincipalName, Location
| join kind=leftanti (
SigninLogs
| where TimeGenerated < ago(30d)
| summarize count() by UserPrincipalName, Location
) on UserPrincipalName, Location
What to investigate next
- Conditional Access policies applied
- MFA enforcement status
- Correlation with device compliance or impossible travel alerts
2. Multiple Failed Logons Followed by Success
Why it matters
This pattern often indicates password spraying, brute force activity, or attackers testing credential validity before gaining access.
What to hunt
// MITRE ATT&CK: T1110 (Brute Force), T1110.003 (Password Spraying), T1110.001 (Password Guessing) | Tactic: Credential Access
// Related: T1078 (Valid Accounts) once authentication succeeds
SigninLogs
| summarize
Failed=countif(ResultType != 0),
Success=countif(ResultType == 0)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where Failed > 5 and Success > 0
What to investigate next
- IP reputation and ASN
- Whether failures span multiple users (spray behavior)
- Subsequent mailbox, SharePoint, or Azure activity
3. Unusual Process Execution on Endpoints
Why it matters
Attackers often use “living off the land” binaries (LOLBins) such as powershell.exe, wmic.exe, or rundll32.exe to evade detection.
What to hunt
// MITRE ATT&CK: T1059 (Command and Scripting Interpreter),
// T1059.001 (PowerShell), T1059.003 (Windows Command Shell) | Tactic: Execution
// Related: T1218 (Signed Binary Proxy Execution) when rundll32 and other signed binaries are abused
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "wmic.exe", "rundll32.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
What to investigate next
- Encoded or obfuscated command lines
- Parent process legitimacy
- User context and device risk score
4. Newly Created or Modified Service Principals
Why it matters
Service principals are often abused for persistence or privilege escalation in Azure environments.
What to hunt
// MITRE ATT&CK: T1098 (Account Manipulation), T1098.001 (Additional Cloud Credentials) | Tactic: Persistence
AuditLogs
| where OperationName in ("Add service principal", "Update service principal")
| project TimeGenerated, InitiatedBy, TargetResources, OperationName
What to investigate next
- Assigned API permissions or directory roles
- Token usage after creation
- Correlation with unfamiliar IP addresses
5. Rare Azure Resource Access Patterns
Why it matters
Attackers exploring your environment often access subscriptions or resource groups they’ve never touched before.
What to hunt
// MITRE ATT&CK: T1526 (Cloud Service Discovery), T1069.003 (Permission Groups Discovery: Cloud) | Tactic: Discovery
AzureActivity
| summarize count() by Caller, ResourceGroup
| join kind=leftanti (
AzureActivity | where TimeGenerated < ago(30d)
| summarize count() by Caller, ResourceGroup
) on Caller, ResourceGroup
What to investigate next
- Role assignments for the caller
- Whether access aligns with job function
- Any subsequent configuration changes
Summary Table
This table summarizes each Sentinel threat hunting query and maps it directly to the corresponding MITRE ATT&CK tactic and technique. By aligning hunts to ATT&CK, security teams can clearly communicate what adversary behaviors are being proactively investigated and identify gaps in coverage. This mapping also makes it easier to prioritize hunts, measure maturity, and transition high‑value hunts into analytics rules over time.
|
Sentinel Hunt |
MITRE Tactic |
MITRE Technique |
|
Rare privileged sign‑ins |
Initial Access |
T1078 – Valid Accounts |
|
Failed then successful logons |
Credential Access |
T1110 – Brute Force |
|
LOLBin execution |
Execution |
T1059 / T1218 |
|
Service principal changes |
Persistence |
T1098.001 |
|
Rare resource access |
Discovery |
T1526 / T1069.003 |
Final Thoughts
Threat hunting in Microsoft Sentinel is most effective when it’s continuous, hypothesis‑driven, and contextual. These queries are starting points, not finished detections. Tune them based on your environment, enrich them with UEBA insights, and align your hunts to MITRE ATT&CK techniques, as outlined in your existing Sentinel content strategy.
If you consistently run hunts like these, you’ll catch suspicious behavior before it triggers an alert or before an attacker reaches their objective.
Microsoft