Skip to main content

Overview

Threat hunting is the proactive process of searching for cyber threats that may have evaded automated detection systems. UTMStack provides comprehensive tools for threat hunters to explore data, test hypotheses, and discover advanced threats. Primary hunting capabilities are available through /discover (log analysis), /threat-intelligence (threat intel), and /data (data management).

Hypothesis-Driven

Develop and test threat hypotheses based on TTPs

Data Exploration

Query and analyze security data at /discover

Threat Intelligence

Leverage threat intel from /threat-intelligence

Pattern Recognition

Identify anomalous patterns and behaviors

Threat Hunting Methodology

Hunting Approaches

Hypothesis-Driven

Start with specific threat hypothesis based on intelligence or experience

Baseline-Driven

Identify deviations from established baselines of normal activity

Model-Driven

Use behavioral models and analytics to detect anomalies

The Hunting Loop

1

Develop Hypothesis

Create a testable hypothesis about potential threat activity based on:
  • Threat intelligence from /threat-intelligence
  • Known attack techniques (MITRE ATT&CK)
  • Environment-specific risks
  • Recent security incidents from /incident
2

Collect Data

Identify and access relevant data sources at /data and /data-sources:
  • Network traffic logs
  • Endpoint telemetry
  • Authentication logs
  • Cloud service logs
  • Application logs
3

Analyze Data

Query and explore data using /discover to search for indicators:
  • Apply filters and search queries
  • Visualize patterns and trends
  • Correlate across multiple data sources
4

Investigate Findings

Deep dive into suspicious activity:
  • Gather additional context
  • Pivot to related events
  • Timeline reconstruction
  • Asset and user profiling from /data-sources
5

Respond

Take appropriate action based on findings:
  • Create alert rules at /alerting-rules for detection
  • Create incident at /incident if threat confirmed
  • Trigger SOAR playbook at /soar for remediation
6

Document

Record hunt results and share knowledge:
  • Document hunting methodology
  • Share IOCs and TTPs with team
  • Update detection rules
  • Create dashboards at /dashboard

Hunting with Log Discovery

Using the Discover Interface

The /discover interface provides powerful log analysis capabilities:

Search Queries

Full-text search across all indexed log data

Field Filtering

Filter by specific fields and values

Time Range

Narrow searches to specific time periods

Field Statistics

View top values and distributions

Pattern Detection

Identify patterns in log data

Export Results

Export hunt results for further analysis

Advanced Search Techniques

Boolean Operators

# Find failed login attempts from external IPs
event.type:"authentication" AND result:"failure" AND NOT source.ip:10.0.0.0/8

# Detect PowerShell execution with suspicious parameters
process.name:"powershell.exe" AND (command_line:*"DownloadString"* OR command_line:*"IEX"*)

# Identify lateral movement attempts
event.category:"network" AND destination.port:(445 OR 3389 OR 5985) AND NOT source.ip:"known_admin_workstation"

Field Aggregations

  • Top N Analysis - Identify most frequent values (e.g., top talking hosts)
  • Unique Counts - Count distinct values (e.g., unique users per system)
  • Rare Item Detection - Find infrequent values that may be suspicious
  • Temporal Analysis - Analyze activity patterns over time

Common Hunting Queries

Hunt for credential theft and abuse:
# Excessive failed logins (password spraying)
event.type:"authentication" AND result:"failure" 
| stats count by source.ip, user.name
| where count > 10

# Successful login after many failures (successful spray)
event.type:"authentication"
| stats count by result, user.name, source.ip
| where result="failure" count > 5 AND result="success" count > 0

# Kerberoasting attempts
event.code:"4769" AND ticket_encryption_type:"0x17"
Identify adversary movement across the network:
# Unusual RDP sessions
event.type:"network" AND destination.port:3389
AND NOT source.ip:(admin_subnet)

# SMB admin share access from workstations
event.category:"file" AND file.path:("\\\\*\\C$" OR "\\\\*\\ADMIN$")
AND source.device_type:"workstation"

# PSExec or WMI execution
process.name:("psexec.exe" OR "wmic.exe") 
AND process.command_line:*"process call create"*
Detect C2 communications:
# Beaconing behavior (regular intervals)
network.connection_type:"outbound"
| stats count by destination.ip, time_bucket(5m)
| where count > 10 AND stddev(count) < 2

# Suspicious DNS queries
dns.question_type:("TXT" OR "NULL") 
OR dns.query_length > 50
OR dns.subdomain_count > 4

# Unusual outbound connections
network.direction:"outbound" 
AND destination.port:(4444 OR 8080 OR 1337)
AND NOT destination.ip:(known_cloud_services)
Hunt for data theft activity:
# Large outbound data transfers
network.direction:"outbound" AND network.bytes > 10000000
| stats sum(network.bytes) by source.ip, destination.ip

# Unusual cloud uploads
url.domain:("drive.google.com" OR "dropbox.com" OR "wetransfer.com")
AND http.method:"POST" AND http.response_size > 1000000

# File compression before transfer
process.name:("7z.exe" OR "winrar.exe" OR "zip.exe")
AND file.path:*"\\\\Users\\\\*\\\\Documents\\\\"*
Identify persistence techniques:
# Registry Run key modifications
registry.path:("*\\\\Run\\\\*" OR "*\\\\RunOnce\\\\*")
AND registry.operation:("add" OR "modify")

# Scheduled task creation
event.category:"scheduled_task" 
AND event.action:("created" OR "modified")
AND task.actions:*

# Service installation
event.type:"service" AND event.action:"installed"
AND NOT service.name:(known_software_services)

# Startup folder modifications
file.path:*"\\\\StartUp\\\\"* AND file.operation:("create" OR "modify")

Threat Intelligence Integration

Leveraging Threat Intel

Use /threat-intelligence to enhance hunting:
1

Review Current Threats

Navigate to /threat-intelligence to review latest threat intelligence:
  • Active threat campaigns
  • Known IOCs (IPs, domains, hashes)
  • Adversary TTPs and behaviors
2

Extract Hunting Leads

Identify specific indicators and behaviors to hunt for:
  • Extract IOCs for searching
  • Note adversary TTPs mapped to MITRE ATT&CK
  • Identify relevant data sources
3

Search for Indicators

Query logs at /discover for threat intelligence matches:
  • Search for specific IOCs
  • Look for behavioral patterns
  • Check historical data for past presence
4

Expand Investigation

Pivot from initial findings to uncover full scope:
  • Related network connections
  • Associated file activity
  • Correlated user actions

IOC Hunting

Search for indicators of compromise:

IP Addresses

Search network logs for connections to malicious IPs

Domain Names

Check DNS queries and HTTP traffic for malicious domains

File Hashes

Look for known malicious file hashes in endpoint data

File Paths

Search for suspicious file locations and names

Registry Keys

Identify malicious registry modifications

User Agents

Detect anomalous or malicious user agent strings

MITRE ATT&CK Framework

Hunting by Tactic

Organize hunts around MITRE ATT&CK tactics:

Initial Access

Phishing, exploits, supply chain compromise

Execution

PowerShell, scripts, command-line tools

Persistence

Registry, scheduled tasks, services

Privilege Escalation

Token manipulation, exploitation

Defense Evasion

Obfuscation, disabling security tools

Credential Access

Credential dumping, keylogging

Discovery

Network scanning, system enumeration

Lateral Movement

Remote services, internal spear phishing

Collection

Data staging, screen capture

Command & Control

C2 channels, proxy usage

Exfiltration

Data transfer, exfiltration to cloud

Impact

Data destruction, ransomware

Technique-Based Hunts

Create hunts for specific ATT&CK techniques:
1

Select Technique

Choose a specific MITRE ATT&CK technique (e.g., T1059.001 - PowerShell)
2

Research Detection

Review detection guidance and data sources required
3

Build Query

Create search query at /discover to detect technique usage
4

Validate Detection

Test query against known-good and known-bad samples
5

Hunt Historical Data

Search historical logs for past technique usage
6

Create Detection Rule

Convert successful hunt into alert rule at /alerting-rules

Asset and User Profiling

Baseline Normal Behavior

Establish baselines using /data-sources and /discover:

User Baselines

  • Typical login times and locations
  • Common accessed resources
  • Normal network activity patterns
  • Standard application usage

Asset Baselines

  • Expected network connections
  • Normal process execution
  • Typical resource utilization
  • Standard service configurations

Anomaly Detection Workflow

1

Define Normal

Query historical data at /discover to establish baseline behavior over 30+ days
2

Identify Outliers

Look for activities that deviate from baseline:
  • Unusual login times or locations
  • First-time network connections
  • New processes or services
  • Abnormal data volumes
3

Investigate Anomalies

Examine outliers for malicious indicators:
  • Check threat intelligence at /threat-intelligence
  • Review asset context from /data-sources
  • Correlate with other security events
4

Determine Legitimacy

Classify anomalies as:
  • Benign (new business activity)
  • Suspicious (requires monitoring)
  • Malicious (incident response required)

Hunting Frameworks and Methodologies

Sqrrl Threat Hunting Loop

  1. Create Hypothesis - Develop educated guess about attacker behavior
  2. Investigate via Tools - Use /discover and other tools to test hypothesis
  3. Discover New Patterns - Uncover new attack patterns and TTPs
  4. Inform and Enrich Analytics - Feed findings into detection systems

TaHiTI Framework

Threat Hunting Maturity Model levels:
LevelDescriptionCharacteristics
TH0InitialAd-hoc, reactive hunting based on alerts
TH1MinimalRoutine collections, basic hypothesis testing
TH2ProceduralData analysis procedures, hunt procedures
TH3InnovativeNovel techniques, custom analytics
TH4LeadingAutomate successful hunts, create new TTPs

Hunt Documentation

Recording Hunt Results

Always document your hunts, even if they don’t find threats. Negative results are valuable for tracking coverage.
Document the following:
  1. Hypothesis - What you were hunting for and why
  2. Data Sources - Which logs and systems were analyzed
  3. Queries Used - Specific search queries from /discover
  4. Findings - What was discovered (threats or absence of threats)
  5. IOCs Identified - Any indicators found during the hunt
  6. Actions Taken - Rules created, incidents opened, etc.
  7. Recommendations - Improvements to detection or security posture
  8. Time Investment - Hours spent on the hunt

Creating Hunting Dashboards

1

Identify Key Metrics

Determine what metrics help monitor hunt targets
2

Build Visualizations

Create charts at /creator for monitoring hunt areas
3

Create Dashboard

Compile visualizations into hunting dashboard at /dashboard
4

Schedule Reviews

Regularly review hunting dashboards for anomalies

Converting Hunts to Detections

Hunt to Alert Workflow

1

Validate Hunt Findings

Confirm the hunt query reliably detects the threat
2

Optimize Query

Refine search to minimize false positives while maintaining detection
3

Test Against Benign

Verify query doesn’t trigger on legitimate activity
4

Create Alert Rule

Navigate to /alerting-rules and create detection rule from hunt query
5

Configure Actions

Set appropriate severity, notifications, and SOAR actions at /soar
6

Enable and Monitor

Activate rule and track false positive rate
7

Document Hunt Source

Note that rule originated from hunt for future reference

Hunting Tools and Techniques

Statistical Analysis

Frequency Analysis

Identify rarely occurring events that may be suspicious

Stack Ranking

Compare similar items to find outliers (e.g., processes by hash)

Time Series

Detect temporal anomalies and patterns

Clustering

Group similar behaviors to identify outliers

Data Pivoting

Pivot from initial findings to expand investigation:
  1. IP Pivot - Find all activity from suspicious IP
  2. User Pivot - Investigate all actions by suspicious user
  3. Hash Pivot - Locate all instances of suspicious file
  4. Domain Pivot - Find related domain infrastructure
  5. Time Pivot - Examine activity in time window around event
  6. Process Pivot - Track parent-child process relationships

Collaboration and Sharing

Hunt Team Coordination

Hunt Calendar

Schedule regular hunt missions and assign responsibilities

Hypothesis Sharing

Share hunt ideas and collaborate on hypothesis development

Results Review

Regular meetings to review hunt findings and share techniques

Knowledge Base

Maintain repository of hunt queries and methodologies

Threat Intelligence Sharing

Share hunt findings:
  • Internal - Update /threat-intelligence with discovered IOCs and TTPs
  • External - Contribute to ISACs and threat intelligence communities
  • Detection Rules - Share successful hunt-derived rules at /alerting-rules
  • Hunt Reports - Document and share hunt methodologies

Best Practices

Effective Hunting

  1. Start with Intelligence - Use threat intel from /threat-intelligence to guide hunts
  2. Document Everything - Record all hunts, findings, and queries
  3. Focus on High-Value - Hunt in areas with greatest risk or visibility gaps
  4. Regular Cadence - Schedule recurring hunts (weekly, monthly)
  5. Convert to Detection - Turn successful hunts into automated rules
  6. Share Knowledge - Collaborate with team and broader community
  7. Measure Progress - Track hunts conducted, threats found, rules created

Common Pitfalls to Avoid

Avoid these common hunting mistakes:
  • Over-reliance on IOCs - Focus on behaviors, not just indicators
  • Analysis Paralysis - Set time limits for hunt missions
  • Ignoring Negative Results - Document hunts that find nothing
  • Poor Documentation - Always record methodology and findings
  • Hunting in Isolation - Collaborate with team members
  • Forgetting to Close Loop - Convert findings to automated detection

Log Discovery

Primary interface for hunting in log data

Threat Intelligence

Leverage threat intel for hunt hypotheses

Alerting Rules

Convert hunts to automated detection

Data Sources

Understand available data for hunting

Build docs developers (and LLMs) love

Get started for freeTalk to us