Defensive security posture is no longer enough. Waiting for a critical alert to trigger in Microsoft Defender often means becoming aware of the attack when data exfiltration has already begun. To counter Advanced Persistent Threats (APT), security operations centers (SOCs) must practiceThreat Hunting: proactive hunting for weak signals.
Yet in the world of managed service providers (MSSPs), this practice is often relegated to the background. The reason? It is excruciatingly time-consuming. Let's decipher why threat hunting at scale is so complex and how a centralized platform can automate it.
The puzzle of Multi-Tenant Threat Hunting
Microsoft's query language,Kusto Query Language (KQL), is a phenomenally powerful tool for querying Advanced Hunting databases. It allows you to correlate system events, network connections and file creations with surgical precision.
However, its daily use by an MSSP comes up against an operational wall:
1. Fragmentation of access
To hunt for suspicious behavior (such as the compromise of a newly published zero-day vulnerability) across your entire customer base, an L2 analyst must successively connect to Customer A's Microsoft 365 Defender portal, write and execute their KQL query, export the results, log out, then start again for Customer B, Customer C... If they manage 50 tenants, a simple verification routine can take them an entire day.
2. The technical requirement of the KQL
KQL is a powerful but complex language. Not all level 1 (L1) analysts are fluent in it. Ask a junior operator to write a join query between the tableDeviceProcessEventsAndDeviceNetworkEventsheader is the best way to get syntax errors, requests that go wrong, or worse, miss a proven threat.
3. Data consolidation (CSV file syndrome)
Manual export of dozens of CSV files from native Microsoft portals forces the analyst to manipulate data in Excel to hope to cross-reference the indicators. It is a cumbersome process, prone to human error, and disconnected from the remediation system.
The solution: Centralized KQL Orchestration
For an MSSP to be profitable, it must offer Threat Hunting services without exploding its salary costs. This is the promise of a modern SOC orchestrator like Akuity.
An Immediate Multi-Tenant Selector
In the Akuity SOC Threat Hunting terminal, the analyst never leaves his window. An integrated selector allows him to target the client Tenant on which he wishes to run the search. Calls are sent asynchronously via the Microsoft API. The investigation goes from several minutes of laborious navigation to a fraction of a second.
An Optimized Editing Terminal
No more rudimentary text editors. The Akuity terminal offers a real input console in monospace font with distinctive syntax highlighting (emerald green), making code easier to read. The number of lines entered is calculated in real time, providing development comfort worthy of a professional IDE.
Automation through Templates (KQL Templates)
To compensate for the lack of mastery of KQL among junior analysts, the platform natively includes “Quick query templates”. In one click, the operator can load a complex query pre-written and optimized by experts to:
- Identify suspicious processes (
powershell.exeOrcmd.exe). - List failed network connections by IP.
- Isolate communications on high-risk ports (4444, 8080).
A Dynamic Results Grid
The results returned by Microsoft Defender are no longer cold CSV files to download. They are instantly displayed in an interactive results grid within the console. The analyst can sort, filter and, most importantly, assess the reputation of discovered IP addresses or domains with a single click thanks to the integration of AlienVault OTX and Google Web Risk.
Conclusion: Hunt faster, protect better
Threat Hunting should no longer be a luxury reserved for companies with an unlimited budget for L3 analysts. By centralizing and automating the execution of KQL queries, you give your teams the means to systematically track persistent threats across all of your clients.
Want to democratize proactive investigation in your SOC?> Discover our consoleThreat Hunting Centralized KQL for MSSPand run your queries at scale.