Hands-on Experience

Threat Hunting

KQL Investigation • Log Analysis • Hypothesis-Driven Hunting • MITRE ATT&CK • Incident Escalation

Threat Hunting KQL Microsoft Sentinel Log Analytics Defender XDR MITRE ATT&CK

Threat Hunting

Threat hunting is a proactive security activity where analysts search for suspicious behavior that may not yet be detected by automated alerts. It uses logs, hypotheses, threat intelligence, and attacker behavior models.

As a Security Analyst, I use Microsoft Sentinel, Log Analytics, KQL, and Defender XDR to search for unusual patterns, validate suspicious activity, and escalate confirmed findings for incident response.

My hands-on experience includes building hunting queries, reviewing authentication activity, analyzing endpoint and network signals, mapping findings to MITRE ATT&CK, and documenting investigation results.

KQL Investigation

Threat Hunting with Microsoft Sentinel and Log Analytics

KQL Threat Hunting Query

Threat Hunting Investigation

This project demonstrates my practical experience with threat hunting in a Security Operations Center workflow. The objective was to proactively identify suspicious activity by asking focused questions and searching across security logs.

I created hunting hypotheses, used KQL queries to inspect log data, reviewed unusual sign-ins and endpoint events, and correlated findings with known attacker tactics and techniques.

The project also included validating suspicious results, reducing false positives, documenting evidence, and escalating confirmed threats for incident response.

Role

Security Analyst

Experience

Proactive SOC Operations

Technology

Microsoft Sentinel and KQL

Primary Focus

Hunting, Validation & Escalation

Environment

Microsoft Security Stack

Key Skills

KQL • Log Analysis • MITRE ATT&CK

Back to Hands-on Experience Contact Me

Key Responsibilities

Activities performed while working on threat hunting

Hypothesis Creation

Built focused hunt ideas based on attacker behavior, alerts, identity activity, and threat intelligence.

KQL Investigation

Used KQL to search logs, filter suspicious events, and find related activity across data sources.

Log Correlation

Correlated authentication, endpoint, cloud, and security events to understand activity patterns.

Escalation Support

Documented evidence, mapped behavior to MITRE ATT&CK, and escalated confirmed threats.

Technologies Used

Security tools and investigation methods used throughout the project

Security Platform

Microsoft SentinelMicrosoft Defender XDRLog AnalyticsMicrosoft Entra IDAzure Monitor

Hunting Methods

KQL QueriesHypothesis-Driven HuntingMITRE ATT&CKIOC SearchBehavior Analysis

SOC Skills

Log AnalysisIncident EscalationFalse Positive ReviewEvidence Documentation

Key Achievements

✔ Created threat hunting hypotheses.

✔ Built KQL queries for suspicious activity analysis.

✔ Correlated security events across multiple data sources.

✔ Mapped findings to MITRE ATT&CK techniques.

✔ Documented and escalated confirmed suspicious activity.

Skills Demonstrated

Threat Hunting

KQL

Log Analysis

Microsoft Sentinel

MITRE ATT&CK

Incident Investigation

Project Impact

Security improvements achieved through proactive threat hunting

Proactive Detection

Identified suspicious behavior that may not have triggered a standard alert.

Better Visibility

Used log analysis to improve understanding of identity, endpoint, and cloud activity.

Focused Investigation

Turned hunt questions into practical KQL searches and evidence-based conclusions.

Log Correlation

Connected related events across data sources to understand suspicious behavior.

Microsoft Security Integration

Used Sentinel, Defender XDR, Entra ID, and Log Analytics in one investigation workflow.

Response Readiness

Documented confirmed findings clearly so response teams could act quickly.

Secure.Hunt. Analyze. Escalate.

This page showcases my hands-on experience with threat hunting, where I build KQL queries, analyze security logs, map behavior to MITRE ATT&CK, validate findings, and support incident response.

Threat Hunting Experience

KQL Investigation • Log Analysis • Proactive Detection

Back to Hands-on Experience

Project Workflow

Threat hunting process followed during security operations

Create Hypothesis

Defined a hunt question based on attacker behavior, alerts, or threat intelligence.

Query Logs

Used KQL to search Microsoft Sentinel and Log Analytics data for suspicious events.

Validate Findings

Correlated events, reduced false positives, and mapped behavior to MITRE ATT&CK.

Escalate

Documented confirmed suspicious activity and supported incident response handoff.

Project Lifecycle

End-to-end lifecycle followed during proactive threat hunting.

PHASE 01

Hunt Planning

Hypothesis Development


Defined a hunt objective, data sources, suspicious behaviors, and expected evidence.

PHASE 02

Data Collection

Microsoft Sentinel and Log Analytics


Selected relevant logs from identity, endpoint, cloud, and security data sources.

PHASE 03

KQL Analysis

Kusto Query Language


Built and refined queries to find suspicious patterns and related activity.

PHASE 04

Validation

MITRE ATT&CK Mapping


Validated findings, reduced noise, and mapped behavior to attacker techniques.

PHASE 05

Reporting

SOC Escalation


Documented evidence, recommended next actions, and escalated confirmed threats.