7.5 Hunting, KQL Awareness, and Notebooks
Key Takeaways
- Hunting is the proactive Sentinel concept for searching for suspicious activity.
- SC-900 requires KQL awareness, not expert query writing.
- Notebooks support deeper investigation and analysis scenarios in the Sentinel chapter plan.
- Hunting differs from analytics rules because it is analyst-driven exploration.
Hunting Is Proactive Investigation
Hunting in Microsoft Sentinel is the concept to choose when a question says analysts want to proactively search for suspicious activity. The chapter plan also calls out Kusto Query Language (KQL) awareness and notebooks. For SC-900, that means you should know the terms and their general role without trying to become a query author during fundamentals study.
Hunting is different from waiting for an analytics rule to identify a pattern. Analytics rules represent defined detection logic. Hunting represents active exploration by a security team. The team may be looking for weak signals, unusual behavior, or activity that deserves a closer look. Both depend on available data, and both support investigation, but they begin from different operating modes.
| Concept | How to recognize it | SC-900 expectation |
|---|---|---|
| Hunting | Proactive search through security data | Know the purpose |
| KQL | Query awareness for searching and filtering data | Recognize the term |
| Notebook | Deeper investigation or analysis workspace concept | Match to investigation support |
| Analytics rule | Defined detection approach | Separate from hunting |
KQL awareness is important because hunting questions may mention query-based search. You do not need to memorize operators for this guide. Instead, remember that KQL is associated with expressing searches over data in the Sentinel investigation context. If the prompt asks for a user interface to manage sensitivity labels or retention labels, KQL awareness is not the point.
Notebooks are also an investigation support concept. In a fundamentals question, notebooks should make you think of deeper analysis rather than routine identity governance or compliance scoring. They sit near hunting in your mental model because both are about investigation and analysis after data has been made available.
Use these scenario cues:
-
Proactively search for suspicious activity means hunting.
-
Query security data during investigation means KQL awareness.
-
Analyze investigation data in a richer workspace means notebooks.
-
Automatically detect a known pattern means analytics rules.
-
Automatically coordinate response steps means automation rules or playbooks.
This is a topic where overstudying can waste time. SC-900 is a fundamentals exam, so the skill is recognizing Sentinel vocabulary and choosing the correct Microsoft product. Know that hunting, KQL awareness, and notebooks belong to the Sentinel security operations story, then move on to product-matching practice.
Hunting Decision Check
Hunting scenarios are active investigation scenarios. The analyst is not simply waiting for a dashboard or a predefined detection to speak first. KQL awareness and notebooks belong near this idea because both support deeper exploration of available security data in the Sentinel chapter plan.
-
Proactive search means hunting.
-
Query awareness means KQL.
-
Deeper investigation support can point to notebooks.
Which Microsoft Sentinel concept best matches proactive searching for suspicious activity?
What is the right SC-900 expectation for KQL in the Sentinel chapter?
How is hunting different from a Sentinel analytics rule?