Let’s talk about a nifty little Node.js application developed to simplify life when working with Microsoft Sentinel and and Threat Hunting. If you’ve been banging your head against the wall trying to navigate Sentinel APIs (in preview) or trying to figure out how to upload and automate content to Sentinel (the new Threat Hunting/preview), this might just be the solution you’ve been waiting for. So, grab a coffee (or tea, no judgment here), and let’s dive in.
Picture this: You’re trying to manage hunting queries and hunts (collection of hunting queries) in Microsoft Sentinel, but the APIs are lightly documented, and you feel like you’re going to give up. huntsAPI is a layer on top of Microsoft APIs, deployed in Azure as Enterpise App. It’s like a translator for Sentinel APIs, helping you manage hunts and queries in one place while adding a layer of abstraction that makes everything less headache-inducing.
This app reminds the work done by Wortell a couple of years ago with their PowerShell script, AZSentinel. Back then, possibilities were limited to just pushing queries into the StoredQuery repository. Fast forward to today—Sentinel has grown up a bit and now offers "preview" features like grouping hunts and running collections of queries in a single hunt. Your app steps in to make these new features accessible and manageable but to deal with it, you must master a mix of Sentinel REST API and MicrosoftInsights API.
Let’s face it—Sentinel is powerful but not exactly user-friendly when it comes to its APIs. This app simplifies things by letting you:
And if you’re wondering why this is useful—imagine having all your hunting queries neatly organized locally, or having the possibility to provide content to sentinel (yes, I know, a content provider would sound lovable here), which can dynamically change. Sounds good, right?
Here’s how you get started:
npm install—easy peasy..env file with details like your Azure tenant ID, client ID, client secret, workspace name, etc.ahh yes, not so easy.. read the read me and get your daily challange setting up proper permissions (see next) and deploying the Enterprise App on Azure.
Once you’ve got everything set up, start the server with npm start, and voilà—the API is live at http://localhost:3001 (or whatever port you specify).
Now, let’s talk permissions. This app needs some specific ones to work its magic:
Application.ReadWrite.All are required for app registration.user_impersonation for Sentinel operations.Pro tip: Assign RBAC roles like Microsoft Sentinel Reader or Contributor at the workspace level for smooth sailing.
The repo includes some handy tools:
And yes, I still call it Swagger—it’s nostalgic!
The real beauty of this app lies in its ability to reverse-engineer how Sentinel APIs work. By correlating queries with hunts in ways that Microsoft hasn’t documented well yet, it opens up possibilities for advanced threat hunting workflows. Plus, it’s designed with enterprise use cases in mind—think scalability and seamless integration.
So there you have it—a tool that turns content management for Threat Hunting in Sentinel into something manageable (dare I say enjoyable? not yet.. but wait the next drop :) ). Whether you’re an IT admin looking to streamline operations or a security analyst diving into threat hunting, these APIs have got your back.
Got questions or want to share your experience? get in touch with us—I’d love to hear how this tool is helping you conquer Sentinel!
Happy hunting! 🚀
We are after something special: a talented team of experts, offensive research and tailored technical expertise, adversary-focused security, intelligence, tools, and technology for clients and partners.
