{"id":35720,"date":"2020-06-25T16:00:18","date_gmt":"2020-06-25T16:00:18","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91441"},"modified":"2020-06-25T16:00:18","modified_gmt":"2020-06-25T16:00:18","slug":"lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/","title":{"rendered":"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-91442 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/CLO20b_Evan_office_001-6-25-BANNER.png\" alt=\"An image of a black male developer at work in an Enterprise office workspace.\" width=\"1200\" height=\"630\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/CLO20b_Evan_office_001-6-25-BANNER.png 1200w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/CLO20b_Evan_office_001-6-25-BANNER-300x158.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/CLO20b_Evan_office_001-6-25-BANNER-1024x538.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/06\/CLO20b_Evan_office_001-6-25-BANNER-768x403.png 768w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\"><\/p>\n<p>Threat hunting is a powerful way for the SOC to reduce organizational risk, but it\u2019s commonly portrayed and seen as a complex and mysterious art form for deep experts only, which can be counterproductive. In this and the next blog we will shed light on this important function and recommend simple ways to get immediate and meaningful value out of threat hunting.<\/p>\n<p>This is the seventh blog in <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/02\/21\/lessons-learned-from-the-microsoft-soc-part-1-organization\/\" target=\"_blank\" rel=\"noopener noreferrer\">the Lessons learned from the Microsoft SOC<\/a> series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft, and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, <a href=\"https:\/\/aka.ms\/minutesmatter\" target=\"_blank\" rel=\"noopener noreferrer\">download our Minutes Matter poster<\/a>.<\/p>\n<p>Before we dive in, let\u2019s clarify the definition of \u201cthreat hunting.\u201d&nbsp; There are various disciplines and processes that contribute to the successful proactive discovery of threat actor operations. For example, our Hunting Team works with threat intelligence to help shape and guide their efforts, but our threat intelligence teams are not \u201cthreat hunters.\u201d&nbsp; When we use the term \u201cthreat hunting,\u201d we are talking about the process of experienced analysts proactively and iteratively searching through the environment to find attacker operations that have evaded other detections.<\/p>\n<p>Hunting is a complement to reactive processes, alerts, and detections, and enables you to proactively get ahead of attackers. What sets hunting apart from reactive activities is the proactive nature of it, where hunters spend extended focus time thinking through issues, identifying trends and patterns, and getting a bigger picture perspective.<\/p>\n<p>A successful hunting program is not purely proactive however as it requires continuously balancing attention between reactive efforts and proactive efforts. Threat hunters will still need to maintain a connection to the reactive side to keep their skills sharp and fresh and keep attuned to trends in the alert queue. They will also need to jump in to help with major incidents at a moment\u2019s notice to help put out the fire. The amount of time available for proactive activities will depend heavily on whether or not you have a full-time or part-time hunting mission.<\/p>\n<p>Our SOC approaches threat hunting by applying our analysts to different types of threat hunting tasks:<\/p>\n<p><strong>1. Proactive adversary research and threat hunting<\/strong><\/p>\n<p>This is what most of our threat hunters spend the majority of their time doing. The team searches through a variety of sources including alerts, external indicators of compromise and other sources. The team primarily works to build and refine structured hypotheses of what the attackers may do based on threat intelligence (TI), unusual observations in the environment, and their own experience. In practice, this type of threat hunting includes:<\/p>\n<ul>\n<li>Proactive search through the data (queries or manual review).<\/li>\n<li>Proactive development of hypotheses based on TI and other sources.<\/li>\n<\/ul>\n<p><strong>2. Red and purple teaming<\/strong><\/p>\n<p>Some of our threat hunters work with red teams who simulate attacks and others who conduct authorized penetration testing against our environment. This is a rotating duty for our threat hunters and typically involves purple teaming, where both red and blue teams work to do their jobs and learn from each other. Each activity is followed up by fully transparent reviews that capture lessons learned which are shared throughout the SOC, with product engineering teams, and with other security teams in the company.<\/p>\n<p><strong>3. Incidents and escalations<\/strong><\/p>\n<p>Proactive hunters aren\u2019t sequestered somewhere away from the watch floor. They are co-located with reactive analysts; they frequently check in with each other, share what they are working on, share interesting findings\/observations, and generally maintain situational awareness of current operations. Threat hunters aren\u2019t necessarily assigned to this task full time; they may simply remain flexible and jump in to help when needed.<\/p>\n<p>These are not isolated functions\u2014 the members of these teams work in the same facility and frequently check in with each other, share what they are working on, and share interesting findings\/observations.<\/p>\n<h3>What makes a good threat hunter?<\/h3>\n<p>While any high performing analyst has good technical skills, a threat hunter must be able to see past technical data and tools to attackers\u2019 actions, motivations, and ideas. They need to have a \u201cfingertip feel\u201d (sometimes referred to as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fingerspitzengef%C3%BChl\" target=\"_blank\" rel=\"noopener noreferrer\">Fingerspitzengef\u00fchl<\/a>), which is a natural sense of what is normal and abnormal in security data and the environment. Threat hunters can recognize when an alert (or cluster of alerts\/logs) seem different or out of place.<\/p>\n<p>One way to think about the qualities that make up a good threat hunter is to look at the <strong>Three F\u2019s<\/strong>.<\/p>\n<p><strong>Functionality<\/strong><\/p>\n<p>This is technical knowledge and competency of investigating and remediating incidents. Security analysts (including threat hunters) should be proficient with the security tools, general flow of investigation and remediation, and the types technologies commonly deployed in enterprise environments.<\/p>\n<p><strong>Familiarity<\/strong><\/p>\n<p>This is \u201cknow thyself\u201d and \u201cknow thy enemy\u201d and includes familiarity with your organization\u2019s specific environment and familiarity with attacker tactics, techniques, and procedures (TTPs). Attacker familiarity starts with understanding common adversary behaviors and then grows into a deeper sense of specific adversaries (including technologies, processes, playbooks, business priorities and mission, industry, and typical threat patterns). Familiarity also includes the relationships threat hunters develop with the people in your organization, and their roles\/responsibilities. Familiarity with your organization is highly valued for analysts on investigation teams, and critical for effective threat hunting.<\/p>\n<p><strong>Flexibility<\/strong><\/p>\n<p>Flexibility is a highly valued attribute of any analyst role, but it is absolutely required for a threat hunter. Flexibility is a mindset of being adaptable in what you may do every day and how you do it. This manifests in how you understand problems, process information, and pursue solutions. This mindset comes from within each person and is reflected in almost everything they do.<\/p>\n<p>Where any threat analyst (or threat hunter) can take a particular alert or event and run it into the ground, a good threat hunter will take a step back and look at a collection of data, alerts or events. Threat hunters must be inquisitive and unrelentingly curious about things\u2014to the point that it bugs them if they don\u2019t have a clear understanding of something. Instead of just answering a question, threat hunters are constantly trying to ask better questions of the data, coming up with creative new angles to answer them, and seeing what new questions they raise. Threat hunting also requires humility, to be able to quickly admit your mistakes so you can <em>rapidly<\/em> re-enter learning mode.<\/p>\n<h3>Threat hunting tooling<\/h3>\n<p>Threat hunting naturally pulls in a wide variety of tools, but our team has grown to prefer a few of the Microsoft tools whose design they have influenced.<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/mtp\/advanced-hunting-overview?view=o365-worldwide\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced hunting<\/a> in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/integrated-threat-protection\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Protection (MTP)<\/a> tends to be the go-to tool for anything related to endpoints, identities, email, Azure resources, and SaaS applications.<\/li>\n<li>Our teams also use <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/\" target=\"_blank\" rel=\"noopener noreferrer\">Azure Sentinel<\/a>, Jupyter notebooks, and custom analytics to hunt across broad datasets like application and network data, as well as diving deeper into identity, endpoint, Office 365, and other log data.<\/li>\n<\/ul>\n<p>Our threat hunting teams across Microsoft contribute queries, playbooks, workbooks, and notebooks to the <a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\" target=\"_blank\" rel=\"noopener noreferrer\">Azure Sentinel Community<\/a>, including specific <a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\" target=\"_blank\" rel=\"noopener noreferrer\">hunting queries<\/a> that your teams can adapt and use.<\/p>\n<h3>Conclusion<\/h3>\n<p>We have discussed the art of threat hunting, different approaches to it, and what makes a good threat hunter. In the next entry, we dive deeper into how to build and refine a threat hunting program. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (<a href=\"https:\/\/microsoft.sharepoint.com\/teams\/celadcutour\/SitePages\/Cybercrime%20Center%20Tour.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">Part 1<\/a>&nbsp;|&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 2a<\/a>&nbsp;|&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 2b<\/a>&nbsp;|&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/06\/06\/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 3a<\/a>&nbsp;|&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/10\/07\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3a-choosing-soc-tools\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 3b<\/a>| <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/05\/04\/lessons-learned-microsoft-soc-part-3c\" target=\"_blank\" rel=\"noopener noreferrer\">Part 3c<\/a>), <a href=\"https:\/\/aka.ms\/markslist\" target=\"_blank\" rel=\"noopener noreferrer\">Mark\u2019s List<\/a>, and our <a href=\"https:\/\/aka.ms\/securtydocs\" target=\"_blank\" rel=\"noopener noreferrer\">new security documentation site<\/a>. Be sure to bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/06\/25\/zen-and-the-art-of-threat-hunting\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog provides lessons learned on how Microsoft hunts for threats in our IT environment and how you can apply these lessons to building or improving your threat hunting program. This is the seventh in a series.<br \/>\nThe post Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":35721,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[6577,6579,347,4161,6598,6578],"class_list":["post-35720","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-ciso-series","tag-ciso-series-page","tag-cybersecurity","tag-evolution","tag-evolution-of-microsoft-threat-protection","tag-threat-protection"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-25T16:00:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting\",\"datePublished\":\"2020-06-25T16:00:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\"},\"wordCount\":1335,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png\",\"keywords\":[\"CISO series\",\"Ciso series page\",\"Cybersecurity\",\"evolution\",\"Evolution of Microsoft Threat Protection\",\"Threat protection\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\",\"name\":\"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png\",\"datePublished\":\"2020-06-25T16:00:18+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISO series\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/ciso-series\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/","og_locale":"en_US","og_type":"article","og_title":"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-06-25T16:00:18+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting","datePublished":"2020-06-25T16:00:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/"},"wordCount":1335,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png","keywords":["CISO series","Ciso series page","Cybersecurity","evolution","Evolution of Microsoft Threat Protection","Threat protection"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/","url":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/","name":"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png","datePublished":"2020-06-25T16:00:18+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting.png","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-3d-zen-and-the-art-of-threat-hunting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"CISO series","item":"https:\/\/www.threatshub.org\/blog\/tag\/ciso-series\/"},{"@type":"ListItem","position":3,"name":"Lessons learned from the Microsoft SOC\u2014Part 3d: Zen and the art of threat hunting"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=35720"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35720\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/35721"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=35720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=35720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=35720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}