Steps
- Form a specific hypothesis based on threat intelligence, recent incidents, or known TTP gaps
- Define the scope: systems, time window, data sources, and success criteria for the hunt
- Identify the telemetry sources needed: endpoint logs, network flows, authentication events, cloud audit trails
- Collect and normalize data from relevant sources into an analysis-ready format
- Query for indicators or behavioral patterns matching your hypothesis
- Investigate anomalies: pivot from a suspicious event to related processes, network connections, and accounts
- Validate findings by corroborating evidence across multiple data sources
- Document all activity with timestamps, queries run, and evidence collected
- If confirmed malicious, escalate to incident response with a handoff brief
- If no findings, document the negative result to validate coverage and retire the hypothesis
- Convert any new detection logic or IoCs into automated alerts or dashboards
- Share lessons learned with the SOC team and update the hunt library for reuse
When to use
Run threat hunts on a scheduled cadence, after a major incident to rule out similar compromise, or when threat intelligence indicates a relevant TTP that your existing detections may miss.