L13. Workbooks and Threat Hunting
Video generating
Check back soon for the video lesson on Workbooks and Threat Hunting
Sentinel workbooks visualize security data, and threat hunting enables proactive searches for undetected threats. This lesson covers workbook creation, hunting queries, livestream, and notebooks for the SC-200 exam.
Workbooks
Sentinel workbooks are interactive dashboards built on Azure Monitor Workbooks. They visualize security data using KQL queries and support:
- Time range selectors and parameter dropdowns
- Charts, tables, grids, and heatmaps
- Drill-down from summary to detail views
- Cross-resource queries (multiple workspaces)
Common built-in workbooks:
| Workbook | Purpose |
|---|---|
| Security Operations Efficiency | SOC metrics: MTTR, incident volume, analyst workload |
| Azure AD Sign-in Logs | Authentication patterns, failed sign-ins, risky users |
| Microsoft Defender for Endpoint | Device health, alert trends, investigation metrics |
| Data Collection Health | Connector status, ingestion volumes, anomalies |
| Insecure Protocols | Legacy protocol usage (NTLM, SMBv1, unencrypted LDAP) |
Creating Custom Workbooks
Custom workbooks let you build visualizations specific to your environment:
- Navigate to Sentinel > Workbooks > Add workbook
- Add a query step with your KQL query
- Choose a visualization type (bar chart, pie chart, grid, tile)
- Add parameters for interactivity (time range, subscription, workspace)
- Save and pin to your dashboard
Threat Hunting
Threat hunting is proactive search for threats that evade existing detections. Sentinel provides a dedicated Hunting blade with:
- Built-in hunting queries: Pre-built queries organized by MITRE ATT&CK tactic
- Custom queries: Your own KQL-based hunting queries
- Livestream: Real-time query monitoring that alerts when results appear
- Bookmarks: Save interesting results as evidence (attachable to incidents)
The Hunting Workflow
- Hypothesis: Form a hypothesis based on threat intelligence, industry reports, or anomalies
- Query: Run hunting queries against relevant data tables
- Analyze: Review results for true suspicious activity
- Bookmark: Save interesting findings as bookmarks
- Escalate: Create an incident from bookmarks or attach to existing incidents
- Improve: Convert validated hunting queries into analytics rules for future detection
Livestream
Livestream runs a KQL query continuously and generates notifications when results appear. Use it for:
- Monitoring a specific threat indicator during an active incident
- Watching for a particular attack pattern in real time
- Tracking user activity during an investigation
Livestream sessions run for up to 30 days and can send notifications to the Sentinel portal.
Notebooks
Sentinel notebooks use Jupyter Notebooks integrated with Azure Machine Learning for advanced investigation:
- MSTICPy library: Microsoft's Python library for security investigation with functions for enrichment, visualization, and analysis
- Pre-built notebooks: Available in the Content Hub for common investigation scenarios
- Custom notebooks: Build your own using Python, KQL, and the Microsoft Graph API
Notebooks are used for:
- Complex data analysis requiring Python libraries
- Machine learning-based anomaly detection
- Automated report generation
- Advanced threat intelligence correlation
MITRE ATT&CK Coverage
The MITRE ATT&CK blade in Sentinel shows which tactics and techniques your analytics rules and hunting queries cover. Use it to identify detection gaps and prioritize new rule development.
- ✓Workbooks visualize data but do not trigger alerts. Use analytics rules for detection.
- ✓Validated hunting queries should be promoted to scheduled analytics rules for continuous detection.
- ✓Bookmarks save hunting query results as evidence and can be attached to incidents.
- ✓Livestream runs KQL queries continuously for up to 30 days with real-time notifications.
- ✓Notebooks use the MSTICPy Python library for advanced investigation beyond standard KQL.
- ✓The MITRE ATT&CK blade identifies detection gaps across tactics and techniques.
1. An analyst validates a hunting query that reliably detects a specific attack technique. What is the recommended next step?
2. An analyst needs to monitor for a specific IOC in real time during an active investigation. Which Sentinel feature should they use?
3. Which Python library does Microsoft provide for advanced security investigation in Sentinel notebooks?