{"id":135541,"date":"2024-08-28T12:00:00","date_gmt":"2024-08-28T19:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=135541"},"modified":"2024-09-10T11:14:40","modified_gmt":"2024-09-10T18:14:40","slug":"the-art-and-science-behind-microsoft-threat-hunting-part-3","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/","title":{"rendered":"The art and science behind Microsoft threat hunting: Part 3"},"content":{"rendered":"\n<p>Earlier in Part 1<sup>1<\/sup> and Part 2<sup>2<\/sup> of this blog series, <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-incident-response\">Microsoft Incident Response<\/a> outlined the strategies, methodologies, and approaches that are used while performing a cyberthreat hunt in both pre- and post-compromised environments. This chapter outlines how Microsoft Incident Response, in collaboration with partner security teams, leverages three distinct types of threat intelligence in the threat hunting cycle, and how customers can utilize these artifacts themselves to improve their own incident response preparedness.\u00a0<\/p>\n\n\n<div class=\"wp-block-msxcm-cta-block\" data-moray data-bi-an=\"CTA Block\">\n\t<div class=\"card d-block mx-ng mx-md-0\">\n\t\t<div class=\"row no-gutters material-color-dark bg-dark-orange\">\n\n\t\t\t\t\t\t\t<div class=\"col-md-4\">\n\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/02\/Featured-image-1024x683.jpg\" class=\"card-img img-object-cover\" alt=\"a conference room of people sitting around a table\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/02\/Featured-image-1024x683.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/02\/Featured-image-300x200.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/02\/Featured-image-768x512.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/02\/Featured-image.jpg 1199w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"d-flex col-md\">\n\t\t\t\t<div class=\"card-body align-self-center p-4 p-md-5\">\n\t\t\t\t\t<h2>Microsoft Incident Response<\/h2>\n\n\t\t\t\t\t<div class=\"mb-3\">\n\t\t\t\t\t\t<p>Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"link-group\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-incident-response\" class=\"btn btn-primary bg-body text-body\" >\n\t\t\t\t\t\t\t\t<span>Learn more<\/span>\n\t\t\t\t\t\t\t\t<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span>\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n<p>Threat intelligence is often oversimplified to represent a feed of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-101\/what-are-indicators-of-compromise-ioc\">indicators of compromise<\/a> (IOCs). The intersection between multiple types of threat intelligence, however, enables organizations and their threat hunters to have a holistic understanding of the cyberattackers and techniques that can and will target them. With this comprehensive cheat sheet of knowledge, threat hunters can not only increase efficiency when responding to a compromise, but proactively hunt their systems for anomalies and fine-tune protection and detection mechanisms.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"470\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide2-1-1024x470.jpg\" alt=\"Graph showing the organizational effort versus the effort gained when using the three types of threat intelligence. In order of most effort required and highest value gained: Strategic, Operational, Tactical. \" class=\"wp-image-135548\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide2-1-1024x470.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide2-1-300x138.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide2-1-768x353.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide2-1.jpg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><em>Figure 1. Three types of threat intelligenc<\/em>e.<\/p>\n\n\n\n<p>Figure 1 introduces three types of threat intelligence that will be outlined in this blog\u2014<strong>strategic<\/strong>, <strong>operational<\/strong>, and <strong>tactical<\/strong>. It provides a visualization of organizational effort versus the value gained when utilizing threat intelligence in more than one way. Typically, security teams integrate IOC cyberthreat feeds at a tactical level, but incorporating threat intelligence operationally requires daily investment, especially when alert queues seem endless. Strategic threat intelligence may seem familiar to most organizations but can be challenging to apply effectively, as this requires concentrated effort at multiple levels to understand the organization\u2019s position within the overall threat landscape. How can threat hunters leverage these types of threat intelligence effectively for the benefit of their organization?&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"strategic-threat-intelligence-informed-hunting-driven-by-the-overarching-cyberthreat-landscape\">Strategic threat intelligence: Informed hunting driven by the overarching cyberthreat landscape&nbsp;<\/h2>\n\n\n\n<p>Security teams should be industry aware\u2014being cognizant of the types of digital threats and current trends affecting industry verticals allows any team to be better prepared for potential compromise. Strategic threat intelligence is fundamentally based on understanding threat actor motives, which gives organizations an understanding of which threat actors they should be most conscious of in relation to the industry vertical or their most valuable resources. For example, government entities are traditionally targeted by nation-state advanced persistent threats (APTs) to perform cyber espionage, whereas organizations in the healthcare industry are commonly targeted by cybercriminal actor groups for ransomware operations and financial extortion due to the sensitivity of the data they possess. Understanding where the organization fits into this strategic picture determines the investment where its resources (people and time) may be constrained. Furthermore, it&#8217;s a key step toward developing an effective threat-informed defense strategy prioritizing the cyberattacks that target the organization. \u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"operational-threat-intelligence-informed-hunting-to-proactively-understand-the-environment-and-its-data\">Operational threat intelligence: Informed hunting to proactively understand the environment and its data&nbsp;<\/h2>\n\n\n\n<p>Having broad visibility into an organization\u2019s attack surface is imperative when applying threat intelligence at an operational level. The crucial components spanning the perimeter of the on-premises network and extended entities such as cloud, software-as-a-service, and overall supply chain should be well understood:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Where are the tier 0 systems in the organization?&nbsp;<\/li>\n\n\n\n<li>What intermediary lateral movement pathways exist to tier 0 systems?&nbsp;<\/li>\n\n\n\n<li>What security controls across the environment are (or aren\u2019t) in place?&nbsp;<\/li>\n\n\n\n<li>What telemetry is produced by all systems in the environment?&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Security teams should proactively analyze the data that comes from these entities to develop a baseline of normal operations. Along with this baseline, threat hunters should comprehend and exercise organizational processes. In the event of an identified anomaly, how is that behavior deconflicted? What teams within the organization need to be consulted? What is the process for ensuring false positives can be reported and circulated efficiently and effectively? Considering the secondary questions and tertiary actions of response steps greatly benefits threat hunting timeliness, staving off confusion during a rapidly evolving incident. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"tactical-threat-intelligence-informed-hunting-to-reactively-respond-to-a-live-cyberthreat\">Tactical threat intelligence: Informed hunting to reactively respond to a live cyberthreat&nbsp;<\/h2>\n\n\n\n<p>Tactical threat intelligence is often an organization\u2019s main integration to enhance a threat hunt, particularly in response to an active cyberattack scenario. Known-bad entities and atomic indicators such as IP addresses, domains, and file hashes are used to identify anomalies aligning to attacker techniques against targeted systems quickly. Additionally, if the cyberattack is already attributed to a threat actor, or the attack aligns to a particular motive, security teams can use these patterns of behavior to prioritize their hunting scope to their known tactics, techniques, and procedures. Novel indicators or associated research from the analysis should be shared with other vetted threat hunters within the organization and are a particularly valuable contribution to the wider threat intelligence community to further enrich detections for all organizations.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"putting-it-together-threat-intelligence-and-iterative-threat-hunting\">Putting it together: Threat intelligence and iterative threat hunting&nbsp;<\/h2>\n\n\n\n<p>Armed with this breakdown, threat hunters can now turn their attention to using varied threat intelligence to execute threat hunts and track down threat actors. The threat hunting iterative workflow shown in Figure 2 is something security teams will likely be familiar with; but are threat intelligence artifacts effectively being applied to create a holistic threat-informed defense strategy?&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"473\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide1-1024x473.jpg\" alt=\"Visualization of threat hunting iterative workflows, showing how cyber threat intelligence artifacts (strategic, operational, and tactical) feed into the iterative workflow of threat hunting. Strategic and operational artifacts feed into the hunt hypothesis phase of the threat hunting workflow, while tactical artifacts feed into the hunting phase of the workflow. \" class=\"wp-image-135551\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide1-1024x473.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide1-300x139.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide1-768x355.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Slide1.jpg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><em>Figure 2. Feeding threat intelligence artifacts into an iterative threat hunting workflow<\/em>.<\/p>\n\n\n\n<p>When preparing a hunt, threat hunters should seek to apply strategic threat intelligence to prioritize the cyberthreats that target the organization. This directly leads into the hypothesis phase. Threat hunters include the gathered strategic artifacts in a hunt hypothesis based on the trends or threat actors impacting other organizations in the same vertical. This casts a wide net to identify anomalies and behaviors common to the industry. They are not limiting the hunt based on any one IOC, rather using the collective intelligence learned from similar intrusions to detect or prevent the attack scenario. For every investigation, whether it be proactive or reactive, Microsoft Incident Response threat hunters consider other incidents impacting victim organizations in the same industry as a guiding force to efficiently identify focus areas of analysis, leveraging research from Microsoft Threat Intelligence that outlines any applicable threat actor attribution.&nbsp;<\/p>\n\n\n\n<p>Daily workflows should be enhanced with operational threat intelligence artifacts to determine an environmental baseline. Proactive hunt hypotheses should seek to test the understanding and actively seek to identify gaps in various aspects of the baseline, identifying any behavioral anomalies straying from \u201cnormal operations\u201d and developing high-fidelity, real-world detections based on the true attempts at intrusion to their environments. Existing detections should be continuously reviewed and refined, hunting threads should include interrogation of both successful and failed access attempts, and data integrity should be verified. Security teams should question if:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized data is both complete and accurate\u2014identifying if there are any gaps in the data and why.&nbsp;<\/li>\n\n\n\n<li>The schema is consistent between all data sources (for example, timestamp accuracy).&nbsp;<\/li>\n\n\n\n<li>The correct fields are flowing through from their distributed systems\u2019 sources.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>When security teams embody being the experts of their environment, they become more adept at identifying when a proactive threat hunt shifts into reactive response to active threat. This is invaluable when improving the speed of returning to normal operations and engaging additional support such as Microsoft Incident Response, who can enhance the hunt with threat intelligence from previous global incidents, working with the customer to deconflict abnormalities quickly for swift takeback and eviction of threat actors.&nbsp;<\/p>\n\n\n\n<p>When incident response teams like Microsoft Incident Response are engaged during a reactive incident, the objective of threat hunting is to conduct analysis of live, historical, and contextual data on targeted and compromised systems and provide a detailed story of not only the attack chain, but the threat actor(s) conducting that attack. Enriching a threat hunt with tactical threat intelligence artifacts in the form of IOCs concentrates investigation scope and allows for rapid identification of threat actor activity. As the hunt progresses, relational entities to that indicator are uncovered, such as the identities involved in activity execution and lateral movement paths to different systems. Attention shifts from atomic indicators such as IP addresses and malicious domains, to artifacts left directly on compromised systems, such as commands that were run or persistent backdoors that were installed. This builds an end-to-end timeline of malicious activity and related indicators for organizations to stay informed, implement target security controls, and prevent the same, or similar, incidents in the future.\u00a0\u00a0<\/p>\n\n\n<div class=\"wp-block-msxcm-kicker-container\">\n\t<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-left\" data-bi-an=\"Kicker Left\">\n\t\t<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\">\n\t\t\tWhat is Microsoft Defender Threat Intelligence (Defender TI)?\t\t<\/p>\n\t\t<a\n\t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\"\n\t\t\thref=\"https:\/\/learn.microsoft.com\/en-us\/defender\/threat-intelligence\/what-is-microsoft-defender-threat-intelligence-defender-ti\"\n\t\t\ttarget=\"_blank\"\t\t>\n\t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n<p>Adhering to the collaborative cycle of threat intelligence, Microsoft Incident Response contributes front-line research to enhance and further develop detections for customers worldwide. Entities are aligned with industry frameworks such as the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/06\/22\/strategies-tools-and-frameworks-for-building-an-effective-threat-intelligence-team\/\" target=\"_blank\" rel=\"noreferrer noopener\">Diamond Model<\/a>, to build threat actor profiles detailing the relationship between adversaries\u2019 infrastructure, capabilities and victims. <a href=\"https:\/\/aka.ms\/mdti-intel-explorer\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Threat Intelligence<\/a> is available in <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\">Microsoft Defender XDR<\/a> for the community and fellow security teams to consume, validate, and refine into proactive detections for the organization.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-microsoft-incident-response-can-support-proactive-threat-protection\">How Microsoft Incident Response can support proactive threat protection<\/h2>\n\n\n\n<p>Microsoft Incident Response has cultivated and relies upon implementing the cycle between incident response and threat intelligence to protect our customers, leveraging insights from 78 trillion signals per day. Organizations can proactively position themselves to be well-informed by the threats targeting their organization by implementing threat intelligence in a holistic way, before an incident begins.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Embracing a collaborative culture amongst the threat intelligence community to not only consume entities, but to further contribute, refine, and enhance existing research, results in improved detections, controls, and automation, allowing all security professionals to get behind the same goal\u2014track down and protect themselves from threat actors and their malicious intent. \u00a0<\/p>\n\n\n\n<p>You can read <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\" target=\"_blank\" rel=\"noreferrer noopener\">more blogs from Microsoft Incident Response<\/a>. For more security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n\n\n\n<p>Learn more about <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-incident-response\">Microsoft Incident Response<\/a>.<\/p>\n\n\n\n<p>To get notified about new Microsoft Threat Intelligence publications and to join discussions on social media, follow us on X (<a href=\"https:\/\/twitter.com\/MsftSecIntel\">@MsftSecIntel<\/a>).<\/p>\n\n\n\n<p>To learn more about Microsoft Security solutions, visit our&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\" rel=\"noreferrer noopener\">website.<\/a>&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\">Microsoft Security<\/a>) and X (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>)&nbsp;for the latest news and updates on cybersecurity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><sup>1<\/sup><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/08\/part-1-the-art-and-science-of-threat-hunting\/\">The art and science behind Microsoft threat hunting: Part 1<\/a>, Microsoft Incident Response Team. September 9, 2022.<\/p>\n\n\n\n<p><sup>2<\/sup><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/21\/the-art-and-science-behind-microsoft-threat-hunting-part-2\/\">The art and science behind Microsoft threat hunting: Part 2<\/a>, Microsoft Incident Response Team. September 21, 2022.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.<\/p>\n","protected":false},"author":162,"featured_media":135556,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3674,3687],"products":[3854,3720],"threat-intelligence":[],"tags":[],"coauthors":[2064],"class_list":["post-135541","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-incident-response","topic-threat-intelligence","products-microsoft-incident-response","products-microsoft-security-experts","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-9-1694638266-118","review-flag-integ-1694638263-281","review-flag-lever-1694638263-909","review-flag-new-1694638263-340","review-flag-partn-1694638263-177"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The art and science behind Microsoft threat hunting: Part 3 | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The art and science behind Microsoft threat hunting: Part 3 | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-28T19:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-10T18:14:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1260\" \/>\n\t<meta property=\"og:image:height\" content=\"709\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"}],\"headline\":\"The art and science behind Microsoft threat hunting: Part 3\",\"datePublished\":\"2024-08-28T19:00:00+00:00\",\"dateModified\":\"2024-09-10T18:14:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\"},\"wordCount\":1704,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\",\"name\":\"The art and science behind Microsoft threat hunting: Part 3 | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp\",\"datePublished\":\"2024-08-28T19:00:00+00:00\",\"dateModified\":\"2024-09-10T18:14:40+00:00\",\"description\":\"Read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp\",\"width\":1260,\"height\":709,\"caption\":\"Chief information security officer presents to the board of executives on security topics.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The art and science behind Microsoft threat hunting: Part 3\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The art and science behind Microsoft threat hunting: Part 3 | Microsoft Security Blog","description":"Read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/","og_locale":"en_US","og_type":"article","og_title":"The art and science behind Microsoft threat hunting: Part 3 | Microsoft Security Blog","og_description":"Read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/","og_site_name":"Microsoft Security Blog","article_published_time":"2024-08-28T19:00:00+00:00","article_modified_time":"2024-09-10T18:14:40+00:00","og_image":[{"width":1260,"height":709,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.png","type":"image\/png"}],"author":"Microsoft Incident Response","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.png","twitter_misc":{"Written by":"Microsoft Incident Response","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"}],"headline":"The art and science behind Microsoft threat hunting: Part 3","datePublished":"2024-08-28T19:00:00+00:00","dateModified":"2024-09-10T18:14:40+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/"},"wordCount":1704,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/","name":"The art and science behind Microsoft threat hunting: Part 3 | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp","datePublished":"2024-08-28T19:00:00+00:00","dateModified":"2024-09-10T18:14:40+00:00","description":"Read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/91849256-b03d-4004-a698-c3ecb823346a.webp","width":1260,"height":709,"caption":"Chief information security officer presents to the board of executives on security topics."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/28\/the-art-and-science-behind-microsoft-threat-hunting-part-3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"The art and science behind Microsoft threat hunting: Part 3"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":true,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/135541"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/162"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=135541"}],"version-history":[{"count":10,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/135541\/revisions"}],"predecessor-version":[{"id":135574,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/135541\/revisions\/135574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/135556"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=135541"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=135541"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=135541"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=135541"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=135541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=135541"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=135541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}