{"id":122104,"date":"2022-09-21T09:00:00","date_gmt":"2022-09-21T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=122104"},"modified":"2023-06-19T10:22:11","modified_gmt":"2023-06-19T17:22:11","slug":"the-art-and-science-behind-microsoft-threat-hunting-part-2","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/","title":{"rendered":"The art and science behind Microsoft threat hunting: Part 2"},"content":{"rendered":"\n<p>We discussed Microsoft Detection and Response Team\u2019s (DART) threat hunting principles in part 1 of The art and science behind Microsoft threat hunting blog series. In this follow-up post, we will talk about some general hunting strategies, frameworks, tools, and how <a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-security-services-incident-response\">Microsoft incident responders<\/a> work with threat intelligence.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">General hunting strategies<\/h2>\n\n\n\n<p>In DART, we follow a set of threat hunting strategies when our analysts start their investigations. These strategies serve as catalysts for our analysts to conduct deeper investigations. For the purposes of this blog, we are listing these strategies under the assumption that a compromise has been confirmed in the customer\u2019s environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Starting with IOCs (\u201cknown bads\u201d)<\/h3>\n\n\n\n<p>An incident response investigation is more manageable when you start off with an initial indicator of compromise (IOC) trigger, or a \u201cknown bad,\u201d to take you to any additional findings. We typically begin with data reduction techniques to limit the data we\u2019re looking at. One example is data stacking, which helps us filter and sort out forensic artifacts by indicator across the enterprise environment until we\u2019ve determined that several machines across the same environment have been confirmed with that same IOC trigger. We then enter the hunting flow and rinse and repeat this process.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1006\" height=\"785\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture1.jpg\" alt=\"Diagram explaining the threat hunting cycle.\" class=\"wp-image-122110\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture1.jpg 1006w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture1-300x234.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture1-768x599.jpg 768w\" sizes=\"(max-width: 1006px) 100vw, 1006px\" \/><\/figure>\n\n\n\n<p><em>Figure 1: The hunting cycle starts with hunting for indicators or \u201cknown bads,\u201d ranging from the smallest unit of indicators to behavioral indicators that may define the actor.<\/em><\/p>\n\n\n\n<p>Types of indicators can be classified into:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Atomic<\/strong>\u2014The smallest unit. For example, IP addresses, domain names, email addresses, and file names.<\/li>\n\n\n\n<li><strong>Computed<\/strong>\u2014Match multiple atomic indicators. For example, hashes and regular expressions.<\/li>\n\n\n\n<li><strong>Behavioral<\/strong>\u2014Patterns of adversary actions. For example, tactics, techniques, and procedures (TTPs) and demonstrated actor preferences (such as file paths, usernames, and tools).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quick wins<\/h3>\n\n\n\n<p>Unfortunately, not everything we start out with is interrelated with the trigger IOC. Another hunting strategy we employ is to look for quick wins; in other words, looking for indicators of typical adversary behavior present in a customer environment. Some examples of quick wins include typical actor techniques, actor specific TTPs, known threats, and verified IOCs. Identifying our quick wins is the most impactful to the customer, as it helps us formulate our attack narrative while guiding customers to keep the actor away from the environment.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"645\" height=\"342\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2.jpg\" alt=\"Pyramid diagram that shows quick wins for incident response investigation.\" class=\"wp-image-122113\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2.jpg 645w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2-300x159.jpg 300w\" sizes=\"(max-width: 645px) 100vw, 645px\" \/><\/figure>\n\n\n\n<p><em>Figure 2: Hunting order of operations.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Anomaly-based hunting<\/h3>\n\n\n\n<p>If you\u2019re out of leads, another strategy to employ is pivoting to hunting for anomalies, which draws on information derived from our \u201cknown bads\u201d and quick wins. We discussed anomalies in the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/08\/part-1-the-art-and-science-of-threat-hunting\/\">first part of this series<\/a> as part of understanding the customer data. Some techniques:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Define baselines<\/strong>. Perform baseline comparisons for your dataset. Determine the usual versus the unusual in an environment.<\/li>\n\n\n\n<li><strong>Summarize your data and occurrences<\/strong> and sort by indicator to find the outliers.<\/li>\n\n\n\n<li><strong>Clean the output<\/strong>. We recommend formatting your data in favor of efficiency and accuracy to make the outliers and anomalies stand out.<\/li>\n<\/ul>\n\n\n\n<p>Pure anomaly-based hunting may be performed concurrently with other hunting strategies on a customer engagement, depending on the data we\u2019re presented. This method is incredibly nuanced and requires seasoned experts to verify whether data patterns may encompass normal or \u201cabnormal\u201d behavior. This prevalence checking and data science approach is the most time consuming but can bear some of the most interesting evidence in an investigation. Case in point, we can detect new advanced persistent threat (APT) actor groups and campaigns with anomaly hunting, while they are rarely detected just by searching for the \u201cknown bads.\u201c<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tying it all together: The attack narrative<\/h3>\n\n\n\n<p>Stringing together our patterns of anomalous activity, factual data from quick wins, and analytical opinions must conclude with an attack narrative. In an incident response investigation, the <a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK<\/a> framework serves as a foundation for adversary tactics and techniques based on real-world observations.<\/p>\n\n\n\n<p>The MITRE framework helps us ensure that that we\u2019re looking at our hypothesis in a structured manner to enable us to tell a cohesive narrative to the customer that is rooted in our analysis. We aim to answer questions such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How did the attacker gain access?<\/li>\n\n\n\n<li>What did they do once inside?<\/li>\n\n\n\n<li>Which accounts did they use?<\/li>\n\n\n\n<li>Which systems did they access?<\/li>\n\n\n\n<li>How and where did they persist?<\/li>\n\n\n\n<li>Was any data accessed or exfiltrated?<\/li>\n\n\n\n<li>And, most importantly, are they still in the environment?<\/li>\n<\/ul>\n\n\n\n<p>Additionally, we want to answer questions surrounding threat actor intent to help tell a better story and build better defenses. Some common attack patterns from the MITRE framework are listed in Table 1.<\/p>\n\n\n\n<div style=\"height:54px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th class=\"has-text-align-left\" data-align=\"left\">Tactic<\/th><th class=\"has-text-align-left\" data-align=\"left\">Techniques<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-left\" data-align=\"left\">Initial access<\/td><td class=\"has-text-align-left\" data-align=\"left\">Phishing files<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Execution<\/td><td class=\"has-text-align-left\" data-align=\"left\">PowerShell and service execution<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Persistence<\/td><td class=\"has-text-align-left\" data-align=\"left\">Services installations, webshells, scheduled tasks, registry run keys<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Defense evasion<\/td><td class=\"has-text-align-left\" data-align=\"left\">Masquerading, obfuscation, Background Intelligent Transfer Service (BITS) jobs, signed executables<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Credential access<\/td><td class=\"has-text-align-left\" data-align=\"left\">Brute forcing, credential dumping<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Discovery<\/td><td class=\"has-text-align-left\" data-align=\"left\">Network share enumeration<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Lateral movement<\/td><td class=\"has-text-align-left\" data-align=\"left\">Overpass the hash, WinRM<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Collection<\/td><td class=\"has-text-align-left\" data-align=\"left\">Data staging<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Command and control<\/td><td class=\"has-text-align-left\" data-align=\"left\">Un\/commonly used ports<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Exfiltration<\/td><td class=\"has-text-align-left\" data-align=\"left\">Data compression<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">Impact<\/td><td class=\"has-text-align-left\" data-align=\"left\">Data encrypted for impact<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><em>Table 1: Common attack patterns from MITRE.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat hunting tools and methodology<\/h2>\n\n\n\n<p>To ensure maximum visibility of the attack chain, hunters use data sourced from proprietary incident response tooling for <strong>point-in-time deep scanning<\/strong> on endpoints, as well as bespoke forensic triage tools on devices of interest.<\/p>\n\n\n\n<p>For point-in-time deep scanning, DART uses:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Proprietary incident response tooling for Windows and Linux.<\/li>\n\n\n\n<li>Forensic triage tool on devices of interest.<\/li>\n\n\n\n<li><a href=\"https:\/\/azure.microsoft.com\/services\/active-directory\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Azure Active Directory<\/a>&nbsp;(Azure AD) security and configuration assessment.<\/li>\n<\/ul>\n\n\n\n<p>For continuous monitoring:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/azure.microsoft.com\/services\/microsoft-sentinel\/\">Microsoft Sentinel<\/a>\u2014Provides centralized source of event logging. Uses machine learning and artificial intelligence.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a>\u2014For behavioral, process-level detection. Uses machine learning and artificial intelligence to quickly respond to threats while working side-by-side with third-party antivirus vendors.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-for-identity\">Microsoft Defender for Identity<\/a>\u2014For detection of common threats and analysis of authentication requests. It examines authentication requests to Azure AD from all operating systems and uses machine learning and artificial intelligence to quickly report many types of threats, such as pass-the-hash, golden and silver ticket, skeleton key, and many more.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-cloud-apps\">Microsoft Defender for Cloud Apps<\/a>\u2014Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture4-1024x486.jpg\" alt=\"Chart that explains the Microsoft products and services used for threat hunting and monitoring.\" class=\"wp-image-122134\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture4-1024x486.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture4-300x143.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture4-768x365.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture4.jpg 1080w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Figure 3 explains the products and services used to identify and monitor threats:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deep scan includes proprietary endpoint scanners such as ASEP, Fennec, LIFE, and FoX<\/li>\n\n\n\n<li>Enterprise data includes Active Directory Configuration and Antivirus logs.<\/li>\n\n\n\n<li>Global telemetry includes the Intelligent Security Graph, the largest sensor network in the world.<\/li>\n<\/ul>\n\n\n\n<p>Continuous monitoring includes the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Defender for Office 365, which monitors spoofing impersonation, and content analysis.<\/li>\n\n\n\n<li>Microsoft Defender for Cloud Apps, which monitors app discovery, access management, and data loss prevention.<\/li>\n\n\n\n<li>Microsoft Defender for Endpoint, which monitors exploitation, installation, and command and control channel.<\/li>\n\n\n\n<li>Microsoft Defender for Identity, which monitors reconnaissance, lateral movement, and domain dominance.<\/li>\n\n\n\n<li>Microsoft 365 Defender, Microsoft Sentinel, and Microsoft Defender for Cloud, which include advanced hunting, alerting, and correlation across data sources.<\/li>\n<\/ul>\n\n\n\n<p>In addition, we work with internal threat intelligence teams, like the Microsoft Threat Intelligence Center (MSTIC), to provide details from our hands-on experience with customer environments and going toe-to-toe with the threat actors. The information collected from these experiences, in turn, provides a trail of evidence to help threat teams and services conduct enriched threat intelligence and security analytics to ensure the security of our customers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Contributing to threat intelligence innovation through openness and transparency<\/h2>\n\n\n\n<p>We give organizations and customers the visibility and relevance of security events by sharing our data from <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-threat-intelligence\">dynamic threat intelligence<\/a> and our continued collaboration with the MSTIC team. This collaboration has proven successful in instances where Microsoft Security teams have <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/03\/22\/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction\/#Detections\">actively tracked large-scale extortion campaigns targeted at multiple organizations<\/a>, resulting in an industry-wide effort to understand and track the threat actor\u2019s tactics and targets.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/10\/the-hunt-for-nobelium-the-most-sophisticated-nation-state-attack-in-history\/\">NOBELIUM incident<\/a> in late 2021 was another instance of a large-scale cyberattack that launched a global hunting effort formed around MSTIC and Microsoft\u2019s team of global security experts. The threat actor targeted privileged accounts of service providers to move laterally in cloud environments, leveraging trusted relationships to gain access to downstream cloud service provider (CSP) customers. We engaged directly with affected customers to assist with incident response and drive detection and guidance around this activity. Through a successful partnership and continuous feedback loop, we have been able to improve our ability to minimize impact and protect customers over time.<\/p>\n\n\n\n<p>The work we delivered in protecting customers against NOBELIUM attacks would not have been possible if not for the continuous hunting process and feedback loop with threat intelligence. We\u2019ve crafted a symbiotic relationship that empowers threat hunters at DART to become better incident responders by looking at additional vectors seen in threat intelligence platforms.<\/p>\n\n\n\n<p>Seeing events from a threat intelligence perspective, applying the art and science of threat hunting, and partnering with the security industry at large are all but signs of our commitment to growth and helping organizations stay protected from cyberattacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learn more<\/h2>\n\n\n\n<p>To read about the latest attack methods and cybersecurity best practices from our investigations and engagements, visit the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/microsoft-detection-and-response-team-dart-blog-series\/\">Microsoft Detection and Response Team (DART) blog series<\/a>. To learn more about our specialized incident response and recovery services before, during, and after a cybersecurity crisis, visit <a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-security-services-incident-response\">Microsoft Security Services for Incident Response<\/a>.<\/p>\n\n\n\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/solutions\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this follow-up post in our series about threat hunting, we talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence.  <\/p>\n","protected":false},"author":179,"featured_media":122107,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3674,3683],"products":[3721,3720],"threat-intelligence":[],"tags":[],"coauthors":[3308,2064],"class_list":["post-122104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-incident-response","topic-security-management","products-microsoft-defender-experts-for-hunting","products-microsoft-security-experts"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The art and science behind Microsoft threat hunting: Part 2 | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"The Microsoft Detection and Response Team outlines the threat hunting strategies used in incident response to conduct deep investigation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The art and science behind Microsoft threat hunting: Part 2 | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"The Microsoft Detection and Response Team outlines the threat hunting strategies used in incident response to conduct deep investigation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-21T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-19T17:22:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Security Experts, Microsoft Incident Response\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Security Experts, Microsoft Incident Response\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-experts\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Security Experts\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"}],\"headline\":\"The art and science behind Microsoft threat hunting: Part 2\",\"datePublished\":\"2022-09-21T16:00:00+00:00\",\"dateModified\":\"2023-06-19T17:22:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\"},\"wordCount\":1594,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\",\"name\":\"The art and science behind Microsoft threat hunting: Part 2 | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg\",\"datePublished\":\"2022-09-21T16:00:00+00:00\",\"dateModified\":\"2023-06-19T17:22:11+00:00\",\"description\":\"The Microsoft Detection and Response Team outlines the threat hunting strategies used in incident response to conduct deep investigation.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Practitioner and CISO collaboration in a security operations center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The art and science behind Microsoft threat hunting: Part 2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The art and science behind Microsoft threat hunting: Part 2 | Microsoft Security Blog","description":"The Microsoft Detection and Response Team outlines the threat hunting strategies used in incident response to conduct deep investigation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/","og_locale":"en_US","og_type":"article","og_title":"The art and science behind Microsoft threat hunting: Part 2 | Microsoft Security Blog","og_description":"The Microsoft Detection and Response Team outlines the threat hunting strategies used in incident response to conduct deep investigation.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-09-21T16:00:00+00:00","article_modified_time":"2023-06-19T17:22:11+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg","type":"image\/jpeg"}],"author":"Microsoft Security Experts, Microsoft Incident Response","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg","twitter_misc":{"Written by":"Microsoft Security Experts, Microsoft Incident Response","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-experts\/","@type":"Person","@name":"Microsoft Security Experts"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"}],"headline":"The art and science behind Microsoft threat hunting: Part 2","datePublished":"2022-09-21T16:00:00+00:00","dateModified":"2023-06-19T17:22:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/"},"wordCount":1594,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/","name":"The art and science behind Microsoft threat hunting: Part 2 | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg","datePublished":"2022-09-21T16:00:00+00:00","dateModified":"2023-06-19T17:22:11+00:00","description":"The Microsoft Detection and Response Team outlines the threat hunting strategies used in incident response to conduct deep investigation.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/CLO22_SecOps_003.jpg","width":1200,"height":800,"caption":"Practitioner and CISO collaboration in a security operations center."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"The art and science behind Microsoft threat hunting: Part 2"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/122104"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/179"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=122104"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/122104\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/122107"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=122104"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=122104"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=122104"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=122104"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=122104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=122104"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=122104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}