Where do you find built-in hunting queries grouped by MITRE ATT&CK tactic in Microsoft Sentinel?

Correct: a. Built-in and custom hunting queries live in the Hunting blade (Threat Management ▸ Hunting). They are tagged with MITRE ATT&CK tactics and techniques and run manually by analysts — unlike analytics rules, which run automatically.

A Sentinel bookmark automatically inherits which of the following from the query that produced it?

Correct: b. Bookmarks inherit the entity column mappings (Account, Host, IP, URL) and the MITRE ATT&CK technique tag from the hunting query that produced the result, so context is preserved when the bookmark is promoted to an incident.

You need to immediately alert your team if a specific malware hash appears in endpoint logs while an investigation is in progress. Which Sentinel feature is most appropriate?

Correct: c. Livestream is designed for real-time monitoring of a specific indicator against incoming log data and alerts you immediately when a match lands — exactly right for 'tell me the moment this hash appears in new logs'.

A hunt campaign ends with hypothesis status Confirmed False and zero bookmarks. What does this most likely mean?

Correct: b. Confirmed False is a legitimate, valuable outcome: it means the queries ran, data was present, and the hypothesised behaviour was not found. This improves MITRE coverage confidence and is part of structured hunting methodology — the absence of evidence is itself a finding.

Which scenario is the best fit for a Jupyter notebook with MSTICPy rather than a KQL hunting query?

Correct: c. Multi-step Python ML anomaly detection plus external enrichment (geolocation) and interactive visualisation is exactly the use case for MSTICPy notebooks. Quick log queries or creating detection rules are better done in KQL or the portal UI respectively.

What is the strongest reason to promote a validated hunting query to a scheduled analytics rule?

Correct: a. Once a hunting query is validated against real data and confirmed to surface genuine threats with acceptable noise, converting it to a scheduled analytics rule means the detection runs automatically — no manual hunting session required. This is the key workflow that connects proactive hunting to automated detection.

Microsoft Sentinel Threat Hunting & Notebooks Guide (2026)

Q: What is the primary organisational axis for hunting queries in the Sentinel Hunting blade?

Correct: b. Hunting queries are grouped and filterable by MITRE ATT&CK tactic (e.g. Persistence, Lateral Movement, Exfiltration) and tagged with specific techniques, so analysts can focus a hunt on relevant adversary behaviours.

Q: You spot a suspicious process parent-child pair in a hunting query result. What is the correct next step before creating an incident?

Correct: c. Bookmarking the suspicious row saves the entity mapping, MITRE context and your analyst notes so you can promote it to an incident or add it to an existing investigation without losing the query context.

Q: What distinguishes the Hunts workspace from simply running individual hunting queries?

Correct: b. The Hunts workspace groups a hypothesis statement, attached queries, bookmarks and metrics (queries run, bookmarks taken, incidents raised) into a single campaign — providing the paper trail and structure that individual ad-hoc queries lack.

Q: When should a Sentinel analyst use a Jupyter notebook with MSTICPy instead of a KQL hunting query?

Correct: d. Notebooks with MSTICPy are the deep-investigation layer — for ML anomaly detection, external API enrichment and complex visualisations. KQL queries remain the right tool for fast, scalable, repeatable hunts across large log volumes.

Most analysts think…

Most SOC analysts treat Microsoft Sentinel as a passive system — wait for an alert, investigate, close the ticket. That is reactive security, and advanced adversaries are counting on it.

Microsoft Sentinel has a full proactive hunting layer: hundreds of built-in KQL queries aligned to MITRE ATT&CK, a bookmark system to save suspicious rows, a livestream that watches for a threat indicator in real time, a structured Hunts workspace for hypothesis-driven campaigns, and Jupyter notebooks backed by MSTICPy for analytics — anomaly detection, timelines, threat-intel enrichment — that KQL alone cannot do. Understanding every layer is what separates a reactive analyst from a proactive hunter.

① Hunting queries — KQL mapped to MITRE ATT&CK

The Hunting blade in the Microsoft Sentinel portal is home to a library of built-in KQL queries — each tagged with a MITRE ATT&CK tactic and technique. You can filter by tactic (Reconnaissance, Persistence, Lateral Movement, Exfiltration, etc.) to focus your hunt on the behaviours most relevant to a threat you suspect or a recent threat-intel report. Each query ships with a description, a data-source tag and a MITRE mapping so you understand what behaviour it surfaces before you run it.

Beyond the built-in library you can write your own KQL hunting queries and save them to the workspace. A good query starts with a hypothesis: 'I believe an attacker has a foothold and is enumerating accounts.' The query operationalises that hypothesis — for example, looking for spikes in AuditLogs for directory reads from a single service principal outside business hours. You run the query, inspect results, and decide whether results warrant a bookmark or an incident.

Tips for effective hunting queries

Pin the time range to the period of suspected activity — a 30-day look-back catches persistence; a 4-hour window catches active intrusion.
Use the Entity columns (Account, Host, IP, URL) so results automatically link to entity pages and timelines.
Clone a built-in query, adjust thresholds, and save it under a custom name — this preserves the MITRE mapping.

Figure 1 — The Sentinel hunting loop

A proactive hunt follows the same five-step cycle regardless of whether it surfaces a clean finding or a confirmed incident.

Figure 2 — MITRE tactic wheel — Sentinel hunting

Built-in hunting queries cover every major MITRE ATT&CK tactic; filter the blade by tactic to focus your campaign.

Filter by tactic before you query

In an interview or a real hunt, always name the MITRE ATT&CK tactic that drives your query choice. 'I filtered the Hunting blade to Lateral Movement, found the wmic.exe abuse query, and ran it over 14 days of logs' is a far stronger answer than 'I ran some queries'.

Quick check · Q1 of 10 · Understand

What is the primary organisational axis for hunting queries in the Sentinel Hunting blade?

a) Alphabetical order of query nameb) MITRE ATT&CK tactic and techniquec) Data connector source typed) Alert severity level

Correct: b. Hunting queries are grouped and filterable by MITRE ATT&CK tactic (e.g. Persistence, Lateral Movement, Exfiltration) and tagged with specific techniques, so analysts can focus a hunt on relevant adversary behaviours.

👉 So far: Hunting queries = manual KQL runs in the Hunting blade, grouped by MITRE ATT&CK tactic and technique — your first tool for proactive threat detection.

② Bookmarks and livestream — saving and watching in real time

Bookmarks are how you capture a suspicious query result row without immediately creating an incident. When a hunting query returns a row that looks anomalous — an unexpected outbound connection, a rare process parent-child pair — you right-click and bookmark it. Bookmarks carry the query context, entity mappings, MITRE technique and your analyst notes forward. You can then: promote a bookmark to a new incident, add it to an existing incident, or surface it in the investigation graph to connect the dot to other entities.

Livestream takes a hunting query and runs it continuously against incoming log data, alerting you the moment a match lands. It is real-time monitoring scoped to a specific hypothesis — ideal when you know a threat actor uses a particular tool or technique and you want an immediate signal if that behaviour appears. Unlike an analytics rule, a livestream is manual and temporary: you start it, watch it during the hunt session, and stop it when the hypothesis is resolved.

Together, bookmarks and livestream give you a workflow: run a query over historical data, bookmark suspicious rows, then flip on a livestream to catch new occurrences as they happen. Both feed the same Sentinel workspace so evidence stays in one place.

🔍

Hunting Query

tap to flip

A KQL query in the Sentinel Hunting blade, tagged with a MITRE ATT&CK tactic and technique, run manually by an analyst to surface suspicious behaviour over historical log data.

🔖

Bookmark

tap to flip

A saved pointer to a suspicious query result row. Bookmarks carry entity mappings, MITRE technique and analyst notes forward and can be promoted to incidents or added to existing investigations.

📡

Livestream

tap to flip

A real-time query monitor that runs a hunting query continuously against incoming log data and alerts the analyst the moment a new match lands — temporary, manual, hypothesis-scoped.

🐍

MSTICPy

tap to flip

Microsoft Threat Intelligence Center Python library for Sentinel notebooks: queries Log Analytics via KQL, enriches entities with threat intel and geolocation, detects anomalies, and renders interactive timelines.

Not bookmarking before closing the query tab

If you close a hunting query tab without bookmarking suspicious rows, the result set is gone. There is no auto-save of query results. Always bookmark first — even if you are 70% sure the row is benign — so you can revisit it from the Bookmarks view without re-running.

Quick check · Q2 of 10 · Apply

You spot a suspicious process parent-child pair in a hunting query result. What is the correct next step before creating an incident?

a) Delete the log entry to prevent noiseb) Run a completely new analytics rulec) Bookmark the row so you can link it to an incident or investigation laterd) Immediately block the host at the firewall

Correct: c. Bookmarking the suspicious row saves the entity mapping, MITRE context and your analyst notes so you can promote it to an incident or add it to an existing investigation without losing the query context.

👉 So far: Bookmarks save suspicious rows with entity context; livestream watches a hypothesis in real time — together they bridge historical hunting and live monitoring.

③ Hypothesis-driven hunts — the Hunts workspace

The Hunts feature (in the Threat Management section of the Sentinel portal) provides a structured workspace for running a full end-to-end threat hunting campaign. You create a Hunt by giving it a name, a hypothesis statement (e.g. 'Attacker is using living-off-the-land binaries for lateral movement after an initial phishing compromise'), and optionally linking it to a MITRE tactic or technique. The hypothesis status can be set to Unconfirmed, Partially Validated, Confirmed True, or Confirmed False as evidence accumulates.

Inside a Hunt you add hunt queries — either from the built-in library or custom ones you wrote. As you run those queries and find suspicious rows you bookmark them directly into the Hunt, keeping all evidence together. The Hunts workspace tracks metrics: how many queries were run, how many bookmarks were taken, how many incidents were created from this campaign. This is the 'show your work' paper trail that threat hunting teams need for reporting and for MITRE coverage dashboards.

The workflow is: hypothesis → attach queries → run and bookmark → update hypothesis status → promote to incident if confirmed. When the hunt is closed, all bookmarks and the hypothesis record remain linked, so you can revisit or share the full investigation.

Figure 3 — Sentinel proactive hunting layers

Each layer adds depth — from fast KQL queries to real-time livestream to structured hypothesis campaigns to Python-powered notebooks.

Priya at a Mumbai financial services firm faces this

The security team receives a threat-intel report: a ransomware group is using living-off-the-land binaries (LOLBins) — specifically wmic.exe and certutil.exe — for lateral movement. No Sentinel analytics rule currently fires for this behaviour.

Likely cause

The team has no structured hunting campaign; analysts run ad-hoc queries but findings are lost in personal notes and never linked to incidents.

Diagnosis

Open the Hunts workspace — there is no active hunt for this behaviour. Filter the Hunting blade by the Lateral Movement tactic: find built-in queries for wmic and certutil abuse. Running them shows process executions across several hosts in the past 14 days that look anomalous.

Sentinel portal ▸ Threat Management ▸ Hunting + Threat Management ▸ Hunts

Fix

Create a new Hunt: hypothesis = 'LOLBin lateral movement active after phishing'. Attach the wmic and certutil queries, run them, bookmark suspicious rows. Update hypothesis status to Partially Validated. Promote highest-confidence rows to a new incident for IR. Flip on a Livestream for certutil.exe spawned by Office to catch new occurrences.

Verify

The Hunt workspace shows: 2 queries run, 7 bookmarks taken, 1 incident raised, hypothesis status = Confirmed True. Livestream alerts when a fresh certutil execution hits the ingestion pipeline — caught in real time.

▶ Watch a LOLBin lateral-movement hypothesis become a confirmed incident

Step through how a structured hunt turns a threat-intel tip into a validated finding. Press Play for the healthy path, then Break it to see the common failure.

① HypothesizePriya reads a threat-intel report about certutil.exe abuse for lateral movement and creates a Hunt with the hypothesis statement in the Hunts workspace.

▼

② Query + BookmarkShe attaches the built-in 'certutil.exe lateral movement' hunting query, runs it over 14 days, and bookmarks three suspicious process-execution rows from finance-server hosts.

▼

③ LivestreamShe flips on a Livestream for certutil.exe spawned by a parent Office process — real-time monitoring while IR is engaged. A new match fires within the hour.

▼

④ Confirm + IncidentHypothesis status is updated to Confirmed True. The three bookmarks are promoted to a single new incident, which the IR team picks up for containment.

Press Play to step through the hunting campaign. Then press Break it.

Quick check · Q3 of 10 · Analyze

What distinguishes the Hunts workspace from simply running individual hunting queries?

a) The Hunts workspace runs queries automatically on a scheduleb) It provides a structured campaign with a hypothesis, attached queries, bookmarks and outcome metrics all in one placec) It only works with Jupyter notebooks, not KQLd) It replaces analytics rules for automated alerting

Correct: b. The Hunts workspace groups a hypothesis statement, attached queries, bookmarks and metrics (queries run, bookmarks taken, incidents raised) into a single campaign — providing the paper trail and structure that individual ad-hoc queries lack.

👉 So far: The Hunts workspace structures a full campaign: hypothesis → attached queries → bookmarks → metrics → incident — creating the paper trail that ad-hoc queries never produce.

④ Jupyter notebooks and MSTICPy — analytics beyond KQL

Microsoft Sentinel is integrated with Azure Machine Learning (AML) compute so you can launch a Jupyter notebook directly from the portal — the workspace credentials, workspace ID and tenant are passed automatically. The notebook opens with access to the same Log Analytics data via the MSTICPy library (Microsoft Threat Intelligence Center Python), which wraps KQL queries, entity enrichment, threat-intel lookups, and visualisation functions in Python.

MSTICPy adds layers that KQL alone cannot deliver: anomaly detection on time-series log data, geolocation and IP enrichment from MaxMind or Microsoft, WHOIS lookups, VirusTotal integration, interactive process-tree and timeline visualisations, and MITRE ATT&CK technique heatmaps across a Sentinel workspace. The MITRE Map notebook, for example, uses a language model to map free-text incident descriptions onto ATT&CK Enterprise techniques — useful for coverage-gap analysis.

When to use a notebook vs a KQL query

Use KQL for fast, repeatable detection and hunting queries that need to run at scale.
Use a notebook when you need multi-step Python logic, ML models, external API calls, or interactive visuals for a deep-dive investigation.
Notebooks are not a replacement for analytics rules or hunting queries — they are the deep-investigation layer when you need statistical power or enrichment that the portal UI cannot provide.

Figure 4 — KQL hunting query vs Jupyter notebook

Both use the same Sentinel workspace data — but they serve different investigative needs.

Test the notebook workspace connection first

Before writing any MSTICPy analytics, run the workspace connection cell and confirm it returns the expected Log Analytics workspace ID and row count. A misconfigured AML compute or stale token is the most common reason notebooks appear to run but silently return empty dataframes.

Quick check · Q4 of 10 · Evaluate

When should a Sentinel analyst use a Jupyter notebook with MSTICPy instead of a KQL hunting query?

a) For every hunt, because notebooks are always fasterb) Only when Sentinel is offlinec) When the investigation needs Python ML models, multi-step enrichment (TI, geo, WHOIS) or interactive visualisations that KQL cannot produced) When they want to replace analytics rules with manual scripts

Correct: d. Notebooks with MSTICPy are the deep-investigation layer — for ML anomaly detection, external API enrichment and complex visualisations. KQL queries remain the right tool for fast, scalable, repeatable hunts across large log volumes.

👉 So far: Jupyter notebooks with MSTICPy add Python ML, threat-intel enrichment, anomaly detection and interactive visuals to Sentinel data — the deep-investigation layer beyond KQL.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the difference between a Sentinel Livestream and a scheduled analytics rule? Then compare with the expert version.

Expert version: A scheduled analytics rule runs automatically on a set interval (e.g. every 5 minutes), evaluates a KQL query against a look-back window, and fires an alert or incident if conditions are met — all without analyst intervention. A Livestream is manually started by an analyst during an active hunt session to continuously monitor incoming log data for a specific indicator in real time; it does not create alerts or incidents automatically and stops when the analyst ends it. Rules are your automated, persistent detectors; Livestream is your real-time 'watch this while I'm hunting' tool.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Sentinel at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Hunting query: A KQL query run manually in the Sentinel Hunting blade, tagged with a MITRE ATT&CK tactic and technique, used to proactively search for adversary behaviour in historical log data.
Bookmark: A saved pointer to a specific hunting query result row, carrying entity mappings, MITRE technique and analyst notes, which can be promoted to an incident or added to an investigation.
Livestream: A real-time query monitor in Sentinel that continuously evaluates a hunting query against incoming log data and alerts the analyst immediately when a new match lands.
Hunts workspace: A Sentinel feature that structures a threat-hunting campaign around a hypothesis, attached queries, bookmarks and outcome metrics (queries run, bookmarks taken, incidents raised).
MSTICPy: Microsoft Threat Intelligence Center Python library for Sentinel Jupyter notebooks, providing KQL data access, threat-intel enrichment, anomaly detection and interactive security visualisations.
MITRE ATT&CK: A globally-adopted adversary-behaviour framework. Tactics are adversary goals (e.g. Lateral Movement); techniques are specific methods to achieve them. Sentinel hunting queries are tagged with both.
Hypothesis: In the context of threat hunting, a testable theory about adversary behaviour (e.g. 'attacker is using LOLBins for lateral movement') that drives query selection and directs the hunt.
LOLBin: Living-Off-the-Land Binary — a legitimate Windows binary (e.g. certutil.exe, wmic.exe) abused by attackers for malicious actions such as downloading payloads or lateral movement, because it evades signature-based detection.

📚 Sources

Microsoft Learn — Hunting capabilities in Microsoft Sentinel. learn.microsoft.com/azure/sentinel/hunting
Microsoft Learn — Conduct end-to-end threat hunting with Hunts in Microsoft Sentinel. learn.microsoft.com/azure/sentinel/hunts
Microsoft Learn — Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel. learn.microsoft.com/azure/sentinel/notebook-get-started
Microsoft Tech Community — Top 5 Microsoft Sentinel Queries for Threat Hunting. techcommunity.microsoft.com/blog/microsoftsentinelblog
GitHub: Azure/Azure-Sentinel-Notebooks — MITRE Map notebook README. github.com/Azure/Azure-Sentinel-Notebooks
Microsoft Learn — Perform threat hunting in Microsoft Sentinel (SC-200 training path). learn.microsoft.com/training/paths/sc-200-perform-threat-hunting-azure-sentinel

What's next?

Got hunting covered? Next, go deep on Microsoft Sentinel analytics rules — scheduled, ML-based Fusion, anomaly, and NRT rules — to turn hunt findings into automated detections.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Sentinel Threat Hunting — Queries, Notebooks & Hypothesis-Driven Hunts

🎯 By the end you will be able to

Pick where you want to start

Hunting queries

Bookmarks & livestream

Hypothesis hunts

Jupyter & MSTICPy

① Hunting queries — KQL mapped to MITRE ATT&CK

Tips for effective hunting queries

② Bookmarks and livestream — saving and watching in real time

③ Hypothesis-driven hunts — the Hunts workspace

▶ Watch a LOLBin lateral-movement hypothesis become a confirmed incident

④ Jupyter notebooks and MSTICPy — analytics beyond KQL

When to use a notebook vs a KQL query

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?