What’s New: Azure Sentinel Threat Hunting Enhancements
Published Jun 04 2020 06:00 AM 13.1K Views

This blog post is a collaboration between @Cristhofer Munoz and @JulianGonzalez (Julian Gonzalez).


This installment is part of a broader series to keep you up to date with the latest features/enhancements in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.


To protect against the current threat landscape, security operations centers (SOC) require a robust set of hunting capabilities. Threat hunting is an iterative, hypothesis-driven process. As the SOC analysts investigate findings, they may either pivot to a new hypothesis, and/or collect additional data to help further evaluate their hypothesis.


To help SOC analysts proactively look for new anomalies that weren't detected by their security solutions, Azure Sentinel's built-in hunting capabilities guide you into asking the right questions to find issues in the data you already have on your network.


We are delighted to introduce a set of enhancements that greatly enrich the analyst experience with Azure Sentinel’s hunting capabilities by better tying them together, as well as by providing prescriptive guidance on best practices and how to make the most of these existing capabilities.


Threat Hunting Enhancements:

  • Guides & Feedback Panel
  • Prescriptive guidance on underlying data
  • Guided Tour
  • Columns Chooser
  • Persistent Settings

Guides & Feedback

To orient and provide prescriptive guidance on how to maximize the use of the threat hunting capabilities, we’ve added a “Guides & Feedback” panel to Livestream and Notebooks experiences. The panel provides rich information on the technical functionality of the capability, users can find new releases and updates about the feature, and useful links to best practices, tutorials, and links to blogs.


The “Guides & Feedback” panel provides the opportunity to share your ideas and experience with our core engineering team and vote/add your ideas on the Azure Sentinel user voice platform.


We plan to expand the "Guides & Feedback" panels to other features across Azure Sentinel to orient and provide recommended practices and useful links to documentation/tutorials.


Guides & Feedback.gif


Prescriptive guidance on underlying data

Data is the foundation for all your efforts in Azure Sentinel, revisiting data collection conversations will ensure that you have the necessary data to satisfy your use cases in Azure Sentinel.  When creating a custom hunting query, we provide prescriptive guidance on the underlying data that is necessary to detect the use case and links to the enable the appropriate data connector.




Guided Tour

For first-time users we've incorporated a guided tour window that provides knowledge transfer on the new improvements added to the hunting capabilities. We will expand the information in the guided tours to provide guidelines on how to initiate your proactive threat hunting journey.




New Columns chooser

The Columns button allows users to personalize the grid by selecting the relevant columns and their order. This enables SOC analysts to have deep flexibility and control over the grid view. 


The hunting queries grid offers 3 new columns: Created By, Created Time and Entities.

The bookmarks grid offers 3 new columns: Updated By, Updated Time and Notes.




Persistent Settings

Any changes users make to the grid are now persistent across sessions. That includes: columns width, sorting orders and filter. This enhancement will impact the way your SOC Analyst across Azure Sentinel's hunting capabilities by saving their grid preferences, hence maximizing their scarce time.


Get started today!


We encourage you to leverage the new enhancements to maximize usage of Azure Sentinel out the box threat hunting capabilities.


Try it out, and let us know what you think!

1 Comment
Version history
Last update:
‎Jun 24 2020 10:09 AM
Updated by: