# Detailed Hunting Workflow - Building Threat Hunt Hypothesis Framework ## Phase 1: Data Collection and Querying ### Splunk SPL Query ```spl | makeresults | eval hypothesis="Adversaries may be using [TECHNIQUE] to [OBJECTIVE] against [TARGET] via [VECTOR]" | eval data_sources="[List required data sources]" | eval queries="[Specific SPL queries to test hypothesis]" | eval success_criteria="[What constitutes confirming/refuting hypothesis]" ``` ### KQL Query (Microsoft Defender for Endpoint) ```kql let HuntHypothesis = datatable(Component:string, Description:string) [ "Technique", "MITRE ATT&CK technique being hunted", "Target", "Systems or accounts in scope", "Data Sources", "Logs and telemetry required", "Indicators", "Observable evidence of technique", "Success Criteria", "What confirms or refutes hypothesis" ]; HuntHypothesis ``` ## Phase 2: Baseline and Anomaly Detection ### Step 2.1 - Establish Normal Behavior Baseline - Collect 30 days of historical data for the targeted technique - Document expected patterns, frequencies, and legitimate use cases - Identify known false positive sources and document exceptions - Build statistical baseline (mean, standard deviation) for key metrics ### Step 2.2 - Identify Anomalies - Compare current activity against the 30-day baseline - Flag events exceeding 3 standard deviations from normal - Prioritize anomalies by risk score and potential business impact - Cross-reference with threat intelligence for known IOCs ## Phase 3: Investigation and Correlation ### Step 3.1 - Deep Dive Analysis - For each anomaly, collect full process tree context - Correlate with network activity, file operations, and authentication events - Check binary signatures, file hashes, and certificate validity - Review user account context and access patterns ### Step 3.2 - Attack Chain Reconstruction - Map findings to MITRE ATT&CK kill chain stages - Identify initial access vector if applicable - Trace lateral movement and privilege escalation paths - Determine data access and potential exfiltration ## Phase 4: Validation and Response ### Step 4.1 - True/False Positive Determination - Verify findings with system owners and IT operations - Check change management records for authorized activities - Validate user context (authorized actions vs. compromised account) - Document determination rationale for each finding ### Step 4.2 - Response Actions - For confirmed threats: initiate incident response procedures - For detection gaps: create or update detection rules - For false positives: tune existing rules and update exclusions - Update threat hunting playbook with lessons learned ## Phase 5: Documentation and Reporting ### Step 5.1 - Hunt Report - Summarize hypothesis, methodology, and findings - Include all queries executed and their results - Document IOCs discovered and detection rules created - Provide recommendations for security improvements ### Step 5.2 - Knowledge Base Update - Add findings to threat intelligence platform - Update MITRE ATT&CK coverage heatmap - Share detection rules via Sigma format - Schedule follow-up hunts for related techniques