Lab 13 – Threat Hunting Fundamentals

This lab introduces the fundamentals of threat hunting: hypothesis‑driven investigation, structured queries, and repeatable workflows. You’ll build your first hunting playbook and run hunts across authentication, system, and network logs.

• Outcome 1: Understand the threat‑hunting lifecycle.
• Outcome 2: Build hypothesis‑driven hunting queries.
• Outcome 3: Create a repeatable hunting workflow.
• Outcome 4: Document findings and next steps.

• DL13.1: Documented hunting workflow.
• DL13.2: Three hunting hypotheses created.
• DL13.3: Hunting queries executed in SIEM.
• DL13.4: Findings documented with screenshots.
• DL13.5: Next‑step improvements identified.

1. Review the four stages:
   • Hypothesis creation
   • Data collection
   • Investigation
   • Documentation & feedback
2. Identify which SIEM dashboards support each stage.

1. Create three hypotheses, such as:
   • “A compromised account is performing unusual authentication attempts.”
   • “A host is making suspicious outbound DNS queries.”
   • “A workstation is scanning internal network ranges.”
2. Map each hypothesis to relevant log sources.

1. Use your SIEM query language to build structured hunts:
   • Failed logon spikes
   • Unusual DNS domains
   • High‑volume network connections
2. Save queries for reuse in future hunts.

1. Create a hunting workflow including:
   • Hypothesis
   • Data sources
   • Query
   • Findings
   • Next steps
2. Document findings with screenshots.
3. Identify improvements for future hunts.

• Methodology: How structured hunting improves detection.
• Queries: How to build hypothesis‑driven searches.
• Workflow: How repeatable processes accelerate investigations.

With your first hunting workflows complete, you’re ready to automate enrichment and response in Week 14.