🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 3
Domain 3 — Module 3 of 6 50%
25 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 3: Perform Threat Hunting Premium ⏱ ~11 min read

Sentinel Hunting: Build & Monitor Queries

Sentinel hunting extends beyond Defender XDR data. Learn how to create hunting queries in Sentinel, monitor them over time, and use livestream for emerging threats.

Sentinel hunting vs Defender XDR hunting

☕ Simple explanation

Defender XDR hunting searches Defender data. Sentinel hunting searches everything.

Sentinel’s hunting queries run against your entire Log Analytics workspace — that includes Defender data, but also firewall logs, Syslog, custom application logs, Azure activity logs, and anything else you have ingested. If your data is in Sentinel, you can hunt through it.

Sentinel also adds tools that Defender XDR does not have: bookmarks to save interesting findings during a hunt, livestream to watch for emerging threats in real-time, and built-in hunting queries from the Content Hub that you can run with one click.

Sentinel’s hunting experience queries the full Log Analytics workspace using KQL. While Defender XDR hunting is limited to Defender tables (30-day retention), Sentinel hunting can query any ingested data source — including third-party logs, custom tables, and archived data.

Key Sentinel hunting features: built-in hunting queries (categorised by MITRE ATT&CK), bookmarks (save and annotate findings), livestream (near-real-time monitoring), and hunting metrics (track hunting activities across the team).

Creating hunting queries

Sentinel provides a Hunting page with:

Built-in queries

Hundreds of pre-built hunting queries from Microsoft and the community, categorised by MITRE ATT&CK tactic. Click Run to execute any of them immediately.

Custom queries

Write your own KQL hunting queries and save them for reuse:

Syslog
| where TimeGenerated > ago(24h)
| where Facility == "auth"
| where SyslogMessage has "Failed password"
| summarize FailedAttempts = count() by HostName, SourceIP = extract("from ([0-9.]+)", 1, SyslogMessage)
| where FailedAttempts > 20
| sort by FailedAttempts desc

This query hunts for SSH brute force on Linux servers — something Defender XDR cannot see because it only covers Windows/Mac endpoints.

Bookmarks

During a hunt, you find something interesting but are not ready to create an incident yet. Bookmarks let you:

  • Save specific query results with annotations
  • Tag findings for follow-up
  • Promote bookmarks to incidents when the evidence is strong enough
💡 Scenario: Anika's weekly hunting routine

Every Friday, Anika at Sentinel Shield runs a structured hunting session for her top clients:

  1. Run built-in queries for the week’s MITRE techniques (focused on client’s threat profile)
  2. Custom query: unusual Syslog patterns — hunt for anomalies in Linux server authentication
  3. Custom query: firewall deny spikes — find sudden increases in blocked connections
  4. Bookmark anything suspicious for the weekly review meeting
  5. Promote confirmed findings to incidents with analyst assignment

Over 3 months, Anika’s hunting discovered 4 threats that analytics rules missed — including a slow-and-low credential stuffing attack that stayed below alert thresholds.

Monitoring hunting queries

Livestream

Livestream monitors your hunting query in near-real-time. Instead of running a query once, livestream continuously evaluates it and alerts you when new results appear.

Use livestream when:

  • You are tracking an active campaign and want to know the moment new indicators appear
  • A new vulnerability is announced and you want to watch for exploitation attempts
  • You suspect an insider threat and want real-time monitoring of their activity

Worked example: a complete Sentinel hunt

Let’s walk through a real hunting session step by step.

Hypothesis: Anika suspects that attackers are using compromised credentials to access a client’s Linux servers outside business hours.

Step 1: Write the hunting query

Syslog
| where TimeGenerated > ago(7d)
| where Facility == "auth" or Facility == "authpriv"
| where SyslogMessage has "Accepted"
| extend Hour = datetime_part("hour", TimeGenerated)
| where Hour < 6 or Hour > 22  // Outside business hours (6 AM - 10 PM)
| summarize LoginCount = count(), Servers = make_set(HostName) by SourceIP = extract("from ([0-9.]+)", 1, SyslogMessage)
| where LoginCount > 3
| sort by LoginCount desc

Step 2: Review results The query returns 4 rows. Three are known admin IPs from the client’s VPN range. One is an unfamiliar IP (203.0.113.77) that logged into 3 different servers at 2 AM with 12 successful authentications.

Step 3: Bookmark the finding Anika bookmarks the suspicious IP with annotations: “Unknown IP, 12 logins at 2 AM across 3 servers. Not in client VPN range. Investigate.”

Step 4: Enrich with threat intel She queries the ThreatIntelligenceIndicator table:

ThreatIntelligenceIndicator
| where NetworkIP == "203.0.113.77"
| project ConfidenceScore, ThreatType, Description, ExpirationDateTime

Match found: this IP is flagged as a credential-stuffing source with 85% confidence.

Step 5: Promote to incident Anika promotes the bookmark to a full incident, assigns it to Wei (Tier 2), and starts containment — block the IP and rotate credentials for the 3 affected server accounts.

Step 6: Save as detection The hunting pattern worked. Anika saves a modified version as a scheduled analytics rule running daily, checking for off-hours logins from non-VPN IPs.

Hunting metrics

Track your team’s hunting activities:

  • Queries run — how many hunts were conducted
  • Bookmarks created — findings saved for follow-up
  • Incidents created from hunts — bookmarks promoted to incidents
  • Time spent hunting — measure hunting investment vs results
Defender XDR hunting is deep in Microsoft data; Sentinel hunting is broad across all data
FeatureDefender XDR Advanced HuntingSentinel Hunting
Data scopeDefender tables only (endpoint, email, identity, cloud apps)All ingested data (Defender + third-party + custom + Syslog)
Data retention30 daysConfigurable (90 days Analytics, years in Data lake)
BookmarksNoYes — save and annotate findings
LivestreamNoYes — near-real-time monitoring
Built-in queriesSome examplesHundreds, categorised by MITRE ATT&CK
Save as detectionCustom detection rulesAnalytics rules (scheduled)
Best forCross-product Microsoft huntingCross-source hunting including third-party data
Question

What are bookmarks in Sentinel hunting and why are they useful?

Click or press Enter to reveal answer

Answer

Bookmarks save specific query results with annotations and tags during a hunting session. They let you mark interesting findings for follow-up without creating an incident immediately. When evidence is confirmed, you can promote a bookmark to a full incident.

Click to flip back
Question

What is livestream in Sentinel and when should you use it?

Click or press Enter to reveal answer

Answer

Livestream continuously evaluates a hunting query and alerts you when new results appear in near-real-time. Use it when tracking active campaigns, monitoring for new vulnerability exploitation, or watching suspicious user activity.

Click to flip back
Question

Why would you hunt in Sentinel instead of Defender XDR?

Click or press Enter to reveal answer

Answer

Sentinel hunting queries ALL ingested data — including third-party firewalls, Syslog from Linux, custom application logs, and Azure activity logs. Defender XDR only searches its own tables (endpoint, email, identity, cloud apps). Use Sentinel for cross-source hunting.

Click to flip back
Knowledge Check

Anika's hunting query finds SSH brute force attempts on a client's Linux servers. She wants to save the results for discussion at Friday's review meeting without creating an incident yet. What should she use?
Knowledge Check

A new zero-day vulnerability is announced for a popular web framework. Tyler wants to watch CipherStack's network in real-time for exploitation attempts. Which Sentinel feature should he use?

🎬 Video coming soon

Next up: Hunting queries are built. Now let’s explore threat analytics and hunting graphs — understanding the broader threat landscape and tracing entity relationships.

← Previous

Advanced Hunting in Defender XDR

Next →

Threat Analytics & Hunting Graphs

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.