Threat Analytics & Hunting Graphs
Understand the threat landscape with threat analytics reports, visualise attack blast radius with hunting graphs, and trace entity relationships using Sentinel Graph.
Understanding the threat landscape
Hunting without context is like searching for a needle without knowing what a needle looks like.
Threat analytics in Defender XDR gives you that context — Microsoft publishes reports on active campaigns, new vulnerabilities, and nation-state attacks. Each report tells you: what the threat is, whether your org is affected, and what you should do about it.
Hunting graphs go visual — they show you how entities connect and how far an attack has spread (the blast radius). Sentinel Graph adds relationship analysis between entities across your entire dataset.
Threat analytics
What a threat analytics report contains
| Section | What It Shows |
|---|---|
| Overview | Summary of the threat — what it is, who is behind it, what it targets |
| Analyst report | Detailed write-up with TTPs, IOCs, and MITRE ATT&CK mapping |
| Exposure & mitigations | Whether your org has vulnerable devices or missing configurations |
| Incidents & alerts | Incidents in your environment related to this threat |
| Hunting queries | Pre-built KQL queries to hunt for the threat in your data |
How to use threat analytics
- Review new reports — check the threat analytics dashboard regularly for emerging threats
- Assess exposure — does the report show your org has vulnerable devices?
- Run hunting queries — use the provided queries to check if you are affected
- Apply mitigations — patch vulnerabilities, enable missing protections, update detection rules
- Monitor — track related incidents and alerts over time
Scenario: James responds to a new ransomware campaign
A new threat analytics report lands: “Blackcat 3.0 ransomware targeting healthcare and finance.”
James’s response at Pacific Meridian:
- Opens the analyst report — Blackcat 3.0 exploits unpatched Exchange servers and uses PsExec for lateral movement
- Checks exposure — 3 Exchange servers are missing the latest CU. Report flags them as “exposed.”
- Runs hunting queries — one query finds 2 devices with PsExec activity in the last 7 days (both from IT admins — legitimate)
- Patches the 3 Exchange servers within 24 hours
- Sets up email notifications for future reports matching “ransomware” or “Exchange”
Hunting graphs and blast radius
Hunting graphs visualise the spread of an attack — how entities (users, devices, IPs, files) connect and how far the compromise reached.
Blast radius
The blast radius is the total scope of impact from an attack:
- Devices touched by the attacker
- Users whose accounts were compromised or used
- Data accessed, modified, or exfiltrated
- Services disrupted or degraded
Hunting graphs make this visible — you start from one compromised entity and expand outward to see everything connected to it.
Building a hunting graph
- Start with a known compromised entity (e.g., a user account)
- Expand to related entities (devices the user accessed, IPs they connected from)
- Expand again from those entities (other users on those devices, other connections from those IPs)
- Each expansion layer increases the blast radius view
- Stop expanding when you reach entities with no suspicious activity
Sentinel Graph
Sentinel Graph is the entity relationship model underlying Sentinel’s investigation and hunting capabilities.
What Sentinel Graph enables
| Capability | How It Works |
|---|---|
| Entity relationship queries | Find all entities connected to a specific user, device, or IP |
| Graph-based hunting | Traverse relationships to discover hidden connections |
| Attack path analysis | Trace how an attacker moved from entry point to target |
| Anomaly detection | Identify unusual relationship patterns (new connections, first-time access) |
Sentinel Graph vs investigation graph
| Feature | Investigation Graph (incident) | Sentinel Graph (hunting) |
|---|---|---|
| Scope | Single incident | Entire workspace |
| Trigger | Opened from an incident page | Queried during hunting |
| Purpose | Investigate a known incident | Discover unknown connections |
| Data | Alerts and entities in the incident | All entity relationships across time |
Using Sentinel Graph in practice
Sentinel Graph is the underlying data model that powers entity relationship features across the platform. It surfaces in different ways:
- Investigation graph (in incidents) — the classic incident-scoped entity map
- Hunting graph / blast radius (in Defender XDR) — cross-entity relationship discovery during hunting
- Graphs page (in Sentinel) — custom graph queries against entity relationships in your workspace
Here is a practical workflow using graph-based entity exploration for hunting:
Scenario: Tyler discovers a compromised account. He needs to find all devices and resources the account touched in the last 30 days — not just those in the current incident.
Step 1: Start from the entity Open the user’s entity page. The timeline shows all activities, and the graph view reveals entity relationships powered by Sentinel Graph.
Step 2: Explore connections From the user entity, the graph reveals:
- Devices the user logged into (5 workstations, 2 servers)
- IP addresses the user connected from (3 office IPs, 1 unknown IP)
- Alerts involving this user across all incidents (not just the current one)
Step 3: Follow suspicious branches The unknown IP connects to 2 other user accounts — a possible indicator the attacker used the same infrastructure for multiple compromises.
Step 4: Determine blast radius Tyler now sees the full picture: 1 compromised account → 7 devices → 1 shared attacker IP → 2 additional potentially compromised accounts. The blast radius is larger than the original incident suggested.
Key difference from KQL: Graph-based exploration discovers relationships you might not have thought to query. KQL finds what you specifically ask for; graphs reveal connections you did not know existed.
Exam tip: when to use which investigation tool
The exam tests whether you pick the right tool for the scenario:
| Need | Tool |
|---|---|
| Investigate a specific incident’s entities | Investigation graph (opened from incident page) |
| Discover entity relationships across multiple incidents | Sentinel Graph capabilities (entity exploration, Graphs page) |
| Enumerate all affected entities with specific criteria | Advanced Hunting KQL query |
| Visualise attack spread in Defender XDR | Hunting graph (blast radius) |
| Check if a known threat affects your environment | Threat analytics report |
If the question says “discover connections across multiple incidents,” think Sentinel Graph. If it says “visualise how far this specific attack spread,” think hunting graph with blast radius.
A new threat analytics report shows that 3 of Pacific Meridian's Exchange servers are vulnerable to Blackcat 3.0 ransomware. What should James do first?
Elena needs to understand how far a compromise spread from one device to other systems at Atlas Bank. She wants a visual representation. What tool should she use?
🎬 Video coming soon
Next up: Two more modules to go. Next: querying archived data with Data Lake KQL jobs and Summary rules.