Sign In
Proactive

Hypothesis-Driven Hunting for SOC Analysts, Detection Engineers, and Hunt Team Leads

Practical Threat Hunting in Microsoft 365

The Mission: Find the Attackers Your Rules Miss

Your detection rules cover 30% of the ATT&CK techniques relevant to your environment. The other 70% is the hunting surface — evidence of compromise sitting in your logs, waiting for someone to look. This course teaches you to look systematically: ten hypothesis-driven hunt campaigns across the M365 stack, a structured methodology that turns ad hoc queries into repeatable operations, and the program-level material to build hunting into an organizational capability. Every exercise runs against your own environment. Your findings are real.

Start Free — No Account Needed View Pricing
HUNT CYCLE — FROM HYPOTHESIS TO DETECTION RULEHYPOTHESIZECompromised accounts show auth pattern anomaliesSource: Threat intel + ATT&CK coverage gap + prior IR findingsSCOPESigninLogs + AADNonInteractive | 30-day window | All usersBoundaries set before first query runsCOLLECTKQL: first-seen device + first-seen location per userIterative queries — broad → refined → targetedANALYZE3 accounts: new device + new country within 24 hoursSeparate legitimate travel from account takeoverCONCLUDE1 confirmed compromise → escalate to IR | 2 legitimate → documentNegative findings documented — reduces organizational uncertaintyCONVERTHunt query → Sentinel analytics rule → permanent detectionWhat you hunted today, you detect automatically tomorrow17 modules10 campaigns3 phases30–40 hours

The Hunt Cycle

Every campaign module in this course follows the same six-step cycle — the structure that turns ad hoc querying into repeatable, documented hunting operations:

1. Hypothesize — formulate a specific, testable hypothesis about attacker behavior. Grounded in threat intelligence, ATT&CK coverage gaps, or prior incident findings.

2. Scope — define boundaries before querying. Which data sources, what time window, what population. Prevents drowning in noise or missing the threat through tunnel vision.

3. Collect — execute KQL queries in Advanced Hunting or Sentinel. Iterative — broad queries narrow based on findings.

4. Analyze — separate legitimate activity from suspicious activity using contextual enrichment. This is where hunting judgment lives — the query is mechanical, the analysis is skill.

5. Conclude — confirm or refute the hypothesis. Document findings regardless of outcome. Negative findings reduce organizational uncertainty.

6. Convert — turn validated hunt queries into scheduled detection rules. What you hunted today, you detect automatically tomorrow. Every hunt makes the SOC permanently smarter.

Who this course is for

SOC analysts moving from reactive to proactive. You triage alerts and investigate incidents. This course teaches you to find the compromises that never generated an alert — the ones that live in your logs right now, undetected.

Detection engineers building hunt capability. You write analytics rules. This course teaches the methodology that identifies which rules you need next — by hunting for the threats your current rules miss and converting findings into new detections.

IR practitioners extending proactively. You investigate after detection. This course teaches you to investigate before detection — to find the attacker during the dwell time window, before they achieve their objective.

Hunt team leads building programs. Phase 3 covers cadence, prioritization, documentation, leadership reporting, and automation — the operational material for building a sustainable hunting capability.

Not for beginners. This course assumes working KQL proficiency, familiarity with Defender XDR and Sentinel, and access to an M365 environment. If you need those foundations, start with Mastering KQL on this platform.

Your environment is the lab

This course does not provide a synthetic lab environment. Every exercise runs against your production or developer M365 tenant. That is not a limitation — it is the point.

A lab gives you practice. Your environment gives you results. When you run the authentication anomaly hunt from TH4 against your own SigninLogs, the findings are real security findings in your organization. When you run the OAuth application audit from TH6, you discover the actual unsanctioned applications with high-privilege access in your tenant. When you run the ransomware pre-encryption indicator hunt from TH12, you are checking your actual endpoints for actual indicators of compromise.

The course functions as a structured security audit of your M365 environment while teaching you the methodology to repeat it independently. Every hunt campaign you complete produces real findings, real detection rules, and real documentation — not lab flags.

Course Syllabus

Phase 1 — Hunt Methodology and Advanced Toolcraft (TH0–TH3)
TH0
The Detection Gap: Why Mature SOCs Still Need Hunting — The business case for proactive hunting. Detection coverage ratio calculation. Dwell time data and attacker progression timelines. The detection pyramid. Why detection engineering alone cannot close the gap. ROI metrics. Organizational readiness assessment. Hunt program business case template.
TH1
The Hunt Cycle: A Structured Methodology — The six-step Hunt Cycle used throughout the course. Hypothesis generation from threat intelligence, ATT&CK gaps, and prior incidents. Scoping, iterative collection, analysis with contextual enrichment, conclusion documentation, and detection conversion. Hunt documentation standard and template.
TH2
Advanced KQL for Hunting: Patterns Beyond Fundamentals — Behavioral baselining with percentile and stdev. Time-series anomaly detection with make-series and series_decompose_anomalies. Frequency analysis with top-nested. Behavioral clustering with autocluster. Entity pivoting across tables. Graph semantics for process tree analysis. Assumes KQL proficiency — teaches hunting applications.
TH3
ATT&CK Coverage Analysis: Prioritizing Your Hunt Backlog — Map current detection coverage against MITRE ATT&CK. Export and map Sentinel analytics rules. Identify coverage gaps and coverage clustering. Prioritize gaps by threat intelligence relevance. Build a prioritized hunt backlog. The exercise that starts your hunting program.
TH4
Hunt: Anomalous Authentication Patterns — Per-user authentication baselines. Impossible travel (custom, tunable). First-seen device + location combinations. Service principal anomalies. MFA method changes after risky sign-ins. Token replay in non-interactive logs.
TH5
Hunt: Mailbox Rule Abuse and Email Manipulation — Inbox rules via Graph API. External forwarding and redirect. Financial keyword interception. Temporal correlation with risky sign-ins. Mailbox delegation changes. Transport rule manipulation.
TH6
Hunt: OAuth Application and Consent Abuse — High-privilege app inventory. User-consented vs admin-consented. App registration by non-IT users. Service principal sign-in anomalies. Data access volume disproportionate to purpose. Dormant high-permission applications.
TH7
Hunt: Privilege Escalation and Role Abuse — Role assignments outside PIM. Global Admin activation patterns. Conditional access policy weakening. Security group manipulation. Emergency access account usage.
TH8
Hunt: Data Exfiltration via M365 Services — Download volume baselines with time-series anomaly detection. Unmanaged device access. External sharing to consumer domains. Bulk file access patterns. Teams external sharing with download.
TH9
Hunt: Endpoint Persistence and Living-off-the-Land — Scheduled task anomalies. Registry autostart modifications. Office child process spawning. LOLBin usage with network connections. WMI persistence. Process tree analysis with graph semantics.
TH10
Hunt: Lateral Movement in Hybrid Environments — NTLM anomalies. Kerberos from unusual sources. RDP from non-admin endpoints. LDAP reconnaissance patterns. Azure AD Connect abuse. Cloud-to-on-prem pivot correlation.
TH11
Hunt: Shadow IT and Unsanctioned Cloud Application Usage — Cloud app discovery inventory. AI tool usage with corporate data. Data uploads to unsanctioned services. Personal webmail and VPN usage. OAuth grants to non-approved applications.
TH12
Hunt: Ransomware Pre-Encryption Indicators — Volume shadow copy deletion. Backup disruption. Reconnaissance tool execution. Credential dumping indicators. SMB mass access patterns. Staging directories. C2 beaconing with time-series analysis.
TH13
Hunt: Insider Threat Behavioral Indicators — Access pattern changes for flagged users. Off-hours bulk access. Sensitive document access by non-standard users. USB usage. Multi-channel exfiltration correlation. Behavioral baselining per user.
TH14
Building a Hunt Program: Cadence, Prioritization, and Resourcing — Hunt cadence models (weekly, biweekly, monthly). Prioritization frameworks. Staffing models (dedicated, rotational, hybrid). Hunt-to-detection pipeline. Integration with SOC workflows. Hunt program charter template.
TH15
Hunt Documentation, Reporting, and Knowledge Management — Hunt documentation standard. Negative finding value. Leadership reporting in business language. Hunt knowledge base. Program metrics: MTTD improvement, coverage closure rate, hunt discovery rate. Technical and executive report templates.
TH16
Scaling Hunts: Automation, Notebooks, and Continuous Hunting — Scheduled hunting queries. Sentinel hunt management. Bookmarks and search jobs. Jupyter notebooks with MSTICPy. Hunting workbooks. The maturity continuum: ad hoc → structured → scheduled → intelligence-driven.

What makes this course different

Campaigns, not concepts

Other courses teach you what threat hunting is. This course teaches you how to do it — ten complete hunt campaigns, each with hypotheses, scoped queries, analysis guidance, decision points, and detection rule outputs. You finish each module able to run that campaign in your environment tomorrow.

Hunt-to-detection pipeline

Every hunt campaign ends with detection conversion — the validated hunt query becomes a scheduled analytics rule. This is the mechanism that makes hunting self-funding: every successful hunt permanently reduces the detection gap. No other hunting course teaches this systematically.

Real findings, not lab flags

Every exercise runs against your own M365 environment. The OAuth application hunt discovers your actual unsanctioned apps. The authentication anomaly hunt identifies your actual suspicious sign-ins. The ransomware indicator hunt checks your actual endpoints. This course is simultaneously training and a security audit.

Program operations included

Phase 3 covers what no other hunting course addresses: how to build a hunt program your organization can sustain. Cadence, staffing, prioritization, leadership reporting, metrics, automation. The content that transforms individual hunting skill into organizational capability.

Practitioner-authored

Written by an active CSOC analyst who hunts in production Microsoft 365 environments. The queries work. The analysis guidance reflects what real M365 data actually looks like — including the false positives, the ambiguous results, and the judgment calls that synthetic labs never surface.

How it connects

Mastering KQL builds query proficiency. SOC Operations provides the detection engineering foundation. Practical Incident Response teaches investigation after detection. This course teaches the proactive complement — finding the compromises before any rule fires, then converting findings into permanent detection capability.

Now available

Phase 1 free modules are available now — start with TH0 to quantify your detection gap and build the business case for hunting. Campaign modules (Phase 2) and operations modules (Phase 3) are actively being published.

Start Free — No Account Needed Browse All Courses