7.5 Hunting, KQL Awareness, and Notebooks

Hunting Is Proactive Threat Searching

Hunting is Microsoft Sentinel's proactive, hypothesis-driven search for threats that analytics rules have not flagged. Instead of waiting for an alert, an analyst forms a hypothesis ("could an attacker be using this technique?") and runs queries across the ingested data to look for weak signals, unusual behavior, or evidence of compromise. It is the opposite operating mode from automated detection: analytics rules wait and fire; hunting goes looking.

Sentinel ships with built-in hunting queries that are mapped to the MITRE ATT&CK framework — the industry knowledge base of adversary tactics (the why, e.g., Persistence, Lateral Movement) and techniques (the how). This mapping lets a SOC hunt systematically across the attack lifecycle and spot coverage gaps. When a prompt mentions MITRE ATT&CK tactics/techniques in a Sentinel context, hunting is the associated feature.

Several hunting tools support the workflow:

The payoff of a successful hunt is often a new analytics rule: once an analyst confirms a meaningful pattern by hunting, they can codify it as a scheduled rule so future occurrences are detected automatically. That hunt-to-rule loop is a clean way to remember how hunting and detection relate.

KQL and Notebooks at the Fundamentals Level

Kusto Query Language (KQL) is the read-only query language used throughout Sentinel and Azure Monitor. Analytics rules, hunting queries, and workbooks all express their logic in KQL. SC-900 calls for KQL awareness, not authoring: recognize that KQL is how you search and filter ingested security data, and that it is the common language tying detection, hunting, and visualization together. You will not need to know operators or syntax.

Notebooks in Sentinel are Jupyter notebooks that extend investigation beyond what the portal UI offers. They combine live code, queries, and narrative text, and they can pull Sentinel data through its API, bring in external/threat-intelligence data, and apply machine learning or custom visualizations. Notebooks suit deeper, repeatable, or data-science-style hunts. For a fundamentals question, notebooks should make you think advanced investigation and analysis, sitting next to hunting in your mental model.

Use these scenario cues:

• Proactively search for undetected threats -> hunting.
• Map searches to adversary tactics and techniques -> hunting with MITRE ATT&CK.
• Query and filter ingested security data -> KQL.
• Advanced or programmatic investigation with external data and ML -> notebooks.
• Automatically detect a known pattern -> analytics rule (not hunting).

This is a topic where overstudying wastes time. SC-900 is a fundamentals exam, so the skill is recognizing the vocabulary: hunting is proactive, KQL is the query language, notebooks add advanced analysis, and all three live inside Microsoft Sentinel's SIEM/SOAR story. Avoid sending a labels, retention, or access-review prompt here — those belong to Purview and Entra.

Why Proactive Hunting Matters and How MITRE ATT&CK Organizes It

Automated detection can only catch what someone has already taught it to recognize. Threat hunting exists to find the rest — novel techniques, slow and low activity, and attacker behavior that stays under the threshold of any single analytics rule. A hunter starts from a hypothesis grounded in adversary tradecraft, for example, "if an attacker had compromised an account, I would expect to see unusual remote service creation," and then runs queries to confirm or rule it out. The mindset is investigative and iterative rather than reactive, which is exactly why SC-900 contrasts it with rule-based detection.

The MITRE ATT&CK framework gives this work structure. It catalogs how real adversaries operate across tactics — the attacker's tactical goals such as Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, and Exfiltration — and the specific techniques used to achieve each one. Sentinel tags its built-in hunting queries (and many analytics rules) with the ATT&CK tactics and techniques they relate to.

This lets a SOC view its detection and hunting coverage across the attack lifecycle, spot stages where it is blind, and prioritize new hunts and rules to close those gaps.

When a hunt confirms a real pattern, the analyst typically promotes a bookmark to an incident for investigation and converts the successful query into a scheduled analytics rule so the behavior is detected automatically next time. That hunt-to-rule loop, plus livestream for watching emerging activity and notebooks for deep analysis, is the complete picture. For SC-900, hold onto the essentials: hunting is proactive and hypothesis-driven, it is organized by MITRE ATT&CK, it uses KQL, and notebooks extend it — recognizing these roles is all the exam requires.