You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: unified-secops-platform/hunting-overview.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,8 +43,8 @@ Maximize the full extent of your team's hunting prowess with the following hunti
43
43
|[**Livestream**](/azure/sentinel/livestream)| Start an interactive hunting session and use any Log Analytics query. |
44
44
|[**Hunting with summary rules**](/azure/sentinel/summary-rules#quickly-find-a-malicious-ip-address-in-your-network-traffic)| Use summary rules to save costs hunting for threats in verbose logs.|
45
45
|[**MITRE ATT&CK map**](/azure/sentinel/mitre-coverage#use-the-mitre-attck-framework-in-analytics-rules-and-incidents)| When creating a new hunting query, select specific tactics and techniques to apply.|
46
-
|[**Restore historical data**](/sentinel/restore)| Restore data from archived logs to use in high performing queries. |
47
-
|[**Search large data sets**](/sentinel/search-jobs?tabs=defender-portal)| Search for specific events in logs up to seven years ago using KQL. |
46
+
|[**Restore historical data**](/azure/sentinel/restore)| Restore data from archived logs to use in high performing queries. |
47
+
|[**Search large data sets**](/azure/sentinel/search-jobs?tabs=defender-portal)| Search for specific events in logs up to seven years ago using KQL. |
48
48
|[**Infrastructure chaining**](/defender/threat-intelligence/infrastructure-chaining)| Hunt for new connections between threat actors, group similar attack activity and substantiate assumptions.|
49
49
|[**Threat explorer**](/defender-office-365/threat-explorer-threat-hunting)| Hunt for specialized threats related to email. |
50
50
@@ -56,7 +56,7 @@ The following table describes how you can make the most of the Defender portal's
56
56
| --- | --- |
57
57
|**Proactive** - Find the weak areas in your environment before threat actors do. Detect suspicious activity extra early. | - Regularly conduct end-to-end [hunts](/azure/sentinel/hunts) to proactively seek out undetected threats and malicious behaviors, validate hypotheses, and act on findings by creating new detections, incidents, or threat intelligence.<br><br> - Use the [MITRE ATT&CK map](/azure/sentinel/mitre-coverage#use-the-mitre-attck-framework-in-analytics-rules-and-incidents) to identify detection gaps, and then run predefined hunting queries for highlighted techniques.<br><br> - Insert new threat intelligence into proven queries to tune detections and confirm if a compromise is in process.<br><br> - Take proactive steps to build and test queries against data from new or updated sources.<br><br> - Use [advanced hunting](/defender-xdr/advanced-hunting-microsoft-defender) to find early-stage attacks or threats that don't have alerts. |
58
58
|**Reactive** - Use hunting tools during an active investigation. | - Use [livestream](/azure/sentinel/livestream) to run specific queries at consistent intervals to actively monitor events.<br><br> - Quickly pivot on incidents with the [**Go hunt**](/defender-xdr/advanced-hunting-go-hunt) button to search broadly for suspicious entities found during an investigation.<br><br> - Hunt through threat intelligence to perform [infrastructure chaining](/defender/threat-intelligence/infrastructure-chaining).<br><br> - Use [Security Copilot in advanced hunting](/defender-xdr/advanced-hunting-security-copilot) to generate queries at machine speed and scale. |
59
-
|**Post incident** - Improve coverage and insights to prevent similar incidents from recurring. | - Turn successful hunting queries into new [analytics and detection rules](/azure/sentinel/threat-detection), or refine existing ones.<br><br> - [Restore historical data](/sentinel/restore) and [search large datasets](/sentinel/search-jobs?tabs=defender-portal) for specialized hunting as part of full incident investigations. |
59
+
|**Post incident** - Improve coverage and insights to prevent similar incidents from recurring. | - Turn successful hunting queries into new [analytics and detection rules](/azure/sentinel/threat-detection), or refine existing ones.<br><br> - [Restore historical data](/azure/sentinel/restore) and [search large datasets](/azure/sentinel/search-jobs?tabs=defender-portal) for specialized hunting as part of full incident investigations. |
0 commit comments