Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop Understanding Sentinel datalake and graph

Task 04: Hunt with built-in queries and MITRE ATT&CK

Introduction

Microsoft Defender XDR integrates hunting queries with the MITRE ATT&CK matrix, mapping telemetry and detections to tactics and techniques.

Description

You’ll access the MITRE ATT&CK matrix, explore mapped techniques, and execute prebuilt hunting queries.

Success criteria

  • The MITRE ATT&CK matrix loads successfully.
  • You identify a lateral movement technique.
  • A built-in hunting query executes successfully.

Key steps:

  1. Access the MITRE ATT&CK view.

    Expand here for detailed steps
    1. In the Defender portal, go to Microsoft Sentinel > Threat management > MITRE ATT&CK.
    2. Review the matrix display showing mapped detections across tactics.
    3. Confirm filters:
      • Matrix type view: Default (12 selected)
      • Coverage level: All
      • Active rules: 3 selected
      • Simulated rules: 3 selected

      Exc8_img10.png

  2. Explore lateral movement techniques.

    Expand here for detailed steps

    1. In the search box, enter Lateral and select Enter.

      Exc8_img11.png

    2. Select View Hunting Queries.

      Exc8_img12.png

    3. Choose a technique (for example, Detect Potential Kerberoast Activities) to open its details pane.

    4. Review analytic rules, detections, and entities.

    5. Select View Query Results to run the associated hunting query.

    Exc8_img13.png Exc8_img14.png Exc8_img15.png