Many teams have built hunting programs that are effective and salable for their team and organization. However, with the release of Azure Sentinel the Microsoft Threat Intelligence Center (MSTIC) was tasked with building out a threat hunting framework that could be used by any threat hunter in any organization globally. This framework needed to work regardless of what data an organization had, what their threat model was, and what the skill level of the threat hunters involved. In this talk I will cover the approaches MSTIC adopted in order build this framework using a range of technologies such as Jupyter Notebooks, some of the lessons we learnt along the way, what worked well and what didn’t. Attendees of this presentation will take away techniques and approaches to building a threat hunting framework at a large scale that will apply to large enterprises, or multi-organizational enterprises. They will also take away techniques and technical capabilities for specific threat hunting challenges such as hypothesis development, and data visualization that can be applied to any size of threat hunting operation.
Speker: Pete Bryan, Senior Software Engineer, Microsoft