After this lesson, you will be able to: Run hypothesis-driven hunts using SIEM/log data to find hidden threats.
Detection waits for alerts. Hunting starts with a hypothesis ('attackers using PowerShell base64 encoding'), forms a query, and looks for matches that aren't already alerted on. It's TI in action.
Hypothesis → Query → Investigate hits → Conclude (TP/FP/new detection) → Document → Repeat. Each hunt should produce either a finding OR a new automated detection.
Hypothesis: PowerShell base64 encoded commands (T1059.001):
index=windows EventCode=4104| where match(ScriptBlockText, "(?i)(FromBase64String|-EncodedCommand|-enc )")| stats count by Computer, User, ScriptBlockText| sort - count
Atomic indicators (low value) → Computed indicators → Behavioral patterns (high value). Hunt at the behavioral level. TTPs are stable, atomic IoCs decay.
Every hunt: hypothesis, query, time range, data sources, result, action taken. Even 'no findings' is valuable, proves you looked.
Sign in and purchase access to unlock this lesson.