Sign In
Proactive

Hypothesis-Driven Hunting for Detection Engineers, Security Engineers, and Hunt Team Leads

Aligned to MITRE ATT&CKMandiant tradecraftSigma rulesNIST CSF 2.0

Practical Threat Hunting in Microsoft 365

Find what your detection rules miss — systematically, repeatedly, with evidence.

Run hypothesis-driven threat hunts across the M365 stack. Build hunt hypotheses from ATT&CK coverage gaps and threat intelligence, write the KQL queries that test them, and execute ten complete hunt campaigns targeting identity compromise, cloud persistence, privilege escalation, email threats, data exfiltration, endpoint threats, lateral movement, and pre-ransomware activity. You finish with the methodology and the hunt library to build threat hunting into an organizational capability.

Start Free — No Account Needed See Full Curriculum + Pricing
Content last updated: undefined NaN

Text-based · Persistent labs on your own hardware · 2 free modules available now · 36 CPE credits · Content last updated: May 2026

What you'll deploy
10 complete hypothesis-driven hunt campaigns across identity, email, and endpoint
Hunt documentation templates with hypothesis, data sources, and findings
Sentinel hunting playbooks ready to schedule in your environment
Baseline queries that distinguish normal from anomalous in your tenant
Hunt-to-detection pipeline: every finding becomes an analytics rule
MITRE ATT&CK-mapped hunting coverage tracker
HUNT CYCLE — FROM HYPOTHESIS TO DETECTION RULE HYPOTHESIZE Compromised accounts show auth pattern anomalies Source: Threat intel + ATT&CK coverage gap + prior IR findings SCOPE SigninLogs + AADNonInteractive | 30-day window | All users Boundaries set before first query runs COLLECT KQL: first-seen device + first-seen location per user Iterative queries — broad → refined → targeted ANALYZE 3 accounts: new device + new country within 24 hours Separate legitimate travel from account takeover CONCLUDE 1 confirmed compromise → escalate to IR | 2 legitimate → document Negative findings documented — reduces organizational uncertainty CONVERT Hunt query → Sentinel analytics rule → permanent detection What you hunted today, you detect automatically tomorrow Full program 10 campaigns 3 phases 30–40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Build hunt hypotheses from ATT&CK coverage gaps and threat intelligence
Write KQL hunt queries targeting identity, persistence, and exfiltration
Execute structured hunt campaigns across the M365 stack
Distinguish attacker activity from legitimate noise in hunt results
Build threat hunting into a repeatable organizational capability

The Hunt Cycle

Every hunt in this course follows the same structured methodology: form a hypothesis from threat intelligence or ATT&CK gaps, scope the hunt, collect and analyze data with KQL, document findings, and convert findings to detection rules. The hunt-to-detection pipeline ensures every hunt produces permanent monitoring — not just a one-time report.

Who this course is for

SOC analysts moving from reactive to proactive. You triage alerts and investigate incidents. This course teaches you to find the compromises that never generated an alert.

Detection engineers building hunt capability. You write analytics rules. This course teaches the methodology that identifies which rules you need next — by hunting for the threats your current rules miss.

Hunt team leads building programs. Phase 3 covers cadence, prioritization, documentation, leadership reporting, and automation — the operational material for building a sustainable hunting capability.

Anyone with a genuine interest in threat hunting. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

Your environment is the lab

This course does not provide a synthetic lab. Every exercise runs against your production or developer M365 tenant. When you run the identity compromise hunt from TH4 against your own SigninLogs, the findings are real security findings. The course functions as a structured security audit of your M365 environment while teaching you the methodology to repeat it independently.

What this produces

Ten complete hunt campaigns with documented hypotheses, KQL queries, and findings — targeting identity compromise, cloud persistence, privilege escalation, email threats, and pre-ransomware activity. A hunt library and methodology you deploy as an organizational capability — the work that catches the attacks the detection stack missed, which is how SOC analysts become threat hunters.

What you will be able to do

1. Execute threat hunts across M365 using the structured Hunt Cycle methodology — from hypothesis formation through data collection, analysis, and detection rule deployment.

2. Hunt for complete attack campaigns — not individual techniques. Each hunt module targets a multi-stage threat scenario across identity, email, endpoint, and cloud app domains.

3. Write advanced KQL queries for threat hunting — time-window analysis, statistical anomaly detection, behavioral baselining, and cross-table correlation.

4. Convert hunt findings into detection rules that deploy directly into Sentinel — closing the hunt-to-detection pipeline.

5. Build and manage a threat hunting program with hypothesis backlogs, hunt scheduling, metrics tracking, and integration with threat intelligence feeds.

Course at a glance

Modules: 17 (TH0–TH16) across 3 phases

Estimated duration: 30–40 hours (self-paced)

Format: Written content — annotated KQL queries, SVG diagrams, worked artifacts, knowledge checks

Free content: TH0–TH1 (2 modules) — no account required

Paid content: TH2–TH16 (15 modules) — Premium or Team subscription

Hunt campaigns: TH4–TH13 are threat-domain campaign hunts

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 8 interactive (browse all →)

MITRE ATT&CK coverage: 89 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

M365 environment: Production or developer tenant with Defender XDR and Sentinel. The hunts produce real findings in your own environment.

KQL proficiency: Working ability to write queries using where, project, summarize, extend, and joins. This course teaches advanced hunting patterns, not KQL fundamentals.

No commercial tools required. Everything runs in the Defender XDR advanced hunting portal and Sentinel.

How to get the most from this course

Recommended pace: 1–2 modules per week, 30–40 hours total.

Phase 1 is sequential. Complete TH0–TH3 in order — they build the methodology. Phase 2 campaigns (TH4–TH13) can be completed in any order based on your threat priorities.

Run every hunt against your own environment. A developer tenant works for practice, but your production environment produces real security value.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Course Syllabus

Three phases. TH0–TH1 are free — no account required.

Free Phase 1 — Hunt Methodology and Advanced Toolcraft

TH0
The Detection Gap: Why Mature SOCs Still Need Hunting — The business case for proactive hunting. Detection coverage ratio calculation. Dwell time data and attacker progression timelines. The detection pyramid. Why detection engineering alone cannot close the gap. ROI metrics. Organizational readiness assessment. Hunt program business case template.
 TH1
The Hunt Cycle: A Structured Methodology — The six-step Hunt Cycle used throughout the course. Hypothesis generation from threat intelligence, ATT&CK gaps, and prior incidents. Scoping, iterative collection, analysis with contextual enrichment, conclusion documentation, and detection conversion. Hunt documentation standard and template.
 TH2
Advanced KQL for Hunting: Patterns Beyond Fundamentals — Behavioral baselining with percentile and stdev. Time-series anomaly detection with make-series and series_decompose_anomalies. Frequency analysis with top-nested. Behavioral clustering with autocluster. Entity pivoting across tables. Graph semantics for process tree analysis. Assumes KQL proficiency — teaches hunting applications.
 TH3
ATT&CK Coverage Analysis: Prioritizing Your Hunt Backlog — Map current detection coverage against MITRE ATT&CK. Export and map Sentinel analytics rules. Identify coverage gaps and coverage clustering. Prioritize gaps by threat intelligence relevance. Build a prioritized hunt backlog. The exercise that starts your hunting program.

Phase 2 — Hunt Campaigns

TH4
Hunting Identity Compromise — AiTM and token replay detection. Credential stuffing and password spray patterns. MFA bypass and fatigue attacks. Impossible travel (custom, tunable). Session hijacking via non-interactive token anomalies. Per-user authentication baselines across interactive and non-interactive sign-in tables.
 TH5
Hunting Cloud Persistence Mechanisms — Inbox rule creation via Graph API and Outlook. Mail forwarding and redirect rules. OAuth consent persistence (user and admin). MFA method registration as persistence. Conditional access policy manipulation. Federated trust abuse. Temporal correlation of persistence actions with initial compromise indicators.
 TH6
Hunting Privilege Escalation and Abuse — Role assignments outside PIM. Service principal credential abuse. Conditional access policy weakening. Admin consent grants for high-privilege applications. Emergency access account misuse. Global Admin activation anomalies. Security group manipulation for privilege inheritance.
 TH7
Hunting Email-Based Threats — BEC patterns from compromised internal accounts. Internal phishing sent from legitimate mailboxes. Vendor email compromise detection. Mail flow rule manipulation. Auto-forwarding to external addresses. Financial keyword interception. Email campaign correlation with authentication anomalies.
 TH8
Hunting Data Exfiltration — SharePoint and OneDrive bulk download anomalies with time-series analysis. External sharing link creation to consumer domains. Email forwarding chains. Teams file exfiltration. Browser-based downloads to unmanaged devices. Multi-channel exfiltration correlation across M365 services.
 TH9
Hunting Endpoint Threats — LOLBin abuse with network connections. Process injection indicators. Registry and scheduled task persistence. Defense evasion (timestomping, log clearing, ASR bypass). C2 beaconing with time-series variance analysis. Fileless execution. Process tree analysis with graph semantics.
 TH10
Hunting Lateral Movement — Cloud-to-cloud token reuse across applications. Cloud-to-endpoint pivot correlation. RDP, SMB, WMI, and PowerShell Remoting detection. Service account lateral abuse. VPN pivot from cloud compromise. NTLM and Kerberos anomalies. Azure AD Connect abuse.
 TH11
Hunting Application and API Abuse — Shadow IT discovery via Cloud App Events. OAuth application inventory and risk scoring. Graph API abuse detection. Third-party app excessive permissions. Dormant high-privilege applications. AI tool usage with corporate data. Data uploads to unsanctioned services.
 TH12
Hunting Pre-Ransomware Activity — Reconnaissance tool execution sequences. Volume shadow copy and backup disruption. Credential harvesting indicators. Staging directory creation. Known ransomware tooling signatures. C2 beaconing periodicity. Temporal chain correlation across the full pre-encryption kill chain.
 TH13
Hunting Insider Threats — Data hoarding and bulk access patterns. Access pattern deviation from behavioral baselines. Resignation and termination correlation. Privilege abuse by authorized users. After-hours bulk activity. External account communication. Multi-source behavioral anomaly analysis.

Phase 3 — Hunt Operations

TH14
Building a Hunt Program: Cadence, Prioritization, and Resourcing — Three cadence models (quarterly, monthly rotation, continuous) matched to team size. Three-dimension prioritization scoring. Staffing models (dedicated, rotational, hybrid) with skill development pathways. Hunt-to-detection pipeline with worked KQL conversion. SOC integration with ROI model and budget justification. Hunt program charter (7 sections). Tooling and workspace organization. 12-month program maturity roadmap with Year 2 planning.
 TH15
Hunt Documentation, Reporting, and Knowledge Management — 10-field finding documentation standard with four classification types (TP, FP, negative, informational) and worked examples. Negative finding communication framework (verified negative, validated control, baseline update). One-page executive report template with business impact and costed recommendations. Six-section technical report with attack chain reconstruction and containment verification. Knowledge base architecture with quarterly maintenance. Eight program metrics with calculation methods. Report QA checklist and stakeholder communication for CISO, HR, Legal, and IT. Finding trend analysis and year-over-year reporting.
 TH16
Scaling Hunts: Automation, Notebooks, and Continuous Hunting — Scheduled query deployment with frequency methodology (hourly to weekly). Sentinel hunt management with bookmarks and search jobs. Jupyter notebooks with MSTICPy for reproducible visual analysis. Five-panel hunting workbook for continuous monitoring between quarterly cycles. The maturity continuum (ad hoc → structured → scheduled → intelligence-driven) with assessment criteria per stage. Continuous hunting operations — daily, weekly, quarterly, and annual workflows. Automating hunt response with three automation levels (triage, enrichment, conditional containment). Course conclusion with 90-day implementation action plan.

What you get that you will not find elsewhere

This is not an IOC feed. IOC-based hunting catches yesterday's attack. This course teaches hypothesis-driven hunting — you form the hypothesis, build the query, run the hunt, and determine whether the result is a finding or a refinement.

Complete hunt campaigns. Not individual queries. Each module runs a full hunt campaign against M365 and Entra ID telemetry — from hypothesis generation through evidence collection to findings report.

The hunt-to-detection pipeline. Every hunt finding becomes a candidate for a detection rule. The course teaches how to convert hunting discoveries into automated detections.

Where this course fits

Detection Engineering builds automated rules. This course finds what the rules miss — the unknown threats that automated detection cannot anticipate.

Purple Teaming validates known detections. This course hunts for unknown threats that have not been detected yet.

Offensive Security for Defenders teaches campaign patterns. This course hunts for those patterns proactively.

Recommended learning path: DE → PT → OD → TH. A learner can start at any course.

The outcome

You start running saved queries. You finish running hypothesis-driven hunt campaigns.

Hypothesis-driven methodology — form, test, refine, report. Not query-and-hope.

Complete hunt campaigns — from hypothesis through evidence to findings report.

The hunt-to-detection pipeline — convert discoveries into production detection rules.

Prerequisites

Required: 1+ years in a SOC or security analyst role. Working KQL proficiency — you can write queries with joins, aggregations, and time windows. Familiarity with Defender XDR and Sentinel.

Recommended: Investigation experience — having triaged and investigated real security incidents helps you understand what threat hunting is trying to find proactively.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Lab Pack - Hypothesis-Driven Hunt Toolkit

This course includes a downloadable lab pack that generates 30 days of realistic M365 and endpoint telemetry with multiple attack chains hidden in legitimate baseline noise. Attack indicators are deliberately not labelled. The learner forms hypotheses, writes queries, hunts through the data, and documents findings.

Evidence (9 tables, 30-day window, ~4,000+ entries): SigninLogs (AiTM, password spray, MFA fatigue, impossible travel), AuditLogs (inbox rules, OAuth consent, GA role assignment, CA disable, insider group self-joins), OfficeActivity (SharePoint bulk downloads, external sharing links, mailbox access), DeviceProcessEvents (macro execution chain, LOLBIN abuse, scheduled task persistence, LSASS dump, Kerberoasting, pre-ransomware VSS deletion), DeviceNetworkEvents (C2 beaconing at 5-minute intervals, lateral RDP, Google Drive exfiltration), EmailEvents (phishing delivery, malware attachment, BEC wire transfer), DeviceFileEvents (payload drops), DeviceRegistryEvents (Run key persistence).

Hunt query library (~70 individual KQL files across 10 domains): Identity (AiTM, spray, MFA fatigue, impossible travel, non-interactive replay, compromised SPs, after-hours admin, time-series anomaly, legacy auth), Persistence (inbox rules, OAuth consent, MFA registration, SP credentials, CA manipulation, federation trust, scheduled tasks, registry run keys), Escalation (role assignment outside PIM, group manipulation, admin consent, Kerberoasting, LSASS dump), Email (BEC, phishing delivery, failed auth, mail forwarding), Exfiltration (bulk downloads, external sharing, personal cloud, email exfil, Teams file drops), Endpoint (LOLBIN, Office spawning scripts, C2 beaconing, process trees, fileless execution, unsigned executables), Lateral Movement (internal RDP, PsExec/WMI, SMB anomaly, credential reuse), Application (unverified OAuth, high-privilege apps, shadow IT), Ransomware (VSS deletion, backup disruption, mass encryption, credential harvesting), Insider (data hoarding, after-hours access, external sharing spike, resignation correlation), Advanced (time-series anomaly, entity pivot, multi-table correlation, behavioral baseline).

10 structured hypotheses with ATT&CK mapping, trigger context, suggested queries, and success criteria. Answers deliberately withheld — the learner must hunt.

Hunt program artifacts: Program charter, sprint template, maturity model, monthly metrics template, hunt report templates (positive and negative findings), ATT&CK coverage matrix (20 techniques mapped, 4 gaps identified).

30 exercises across 10 module groups with step-by-step HTML walkthroughs: open the evidence file, apply the filter, trace the attack chain, correlate across tables, document findings.

Threat Hunting Lab Pack
~100+ files · 9 evidence tables · 70 hunt queries · 10 hypotheses · 30-day evidence window
Download Lab Pack (.zip)

Version and changelog

Current version: 2.0  |  Last updated: April 2026

April 2026 — v2.0: Lab pack built with ~70 hunt queries across 10 domains, 10 structured hypotheses, 9 evidence tables (30-day window), ATT&CK coverage matrix, hunt program artifacts, and step-by-step HTML walkthroughs. Prerequisites updated for advanced positioning. Meta descriptions rewritten.

2026 — v1.0: Course launch. 17 modules (TH0-TH16) across 3 phases. 530,000 words. Hypothesis-driven methodology across all hunt-domain modules.

This course is actively maintained. Content is updated as the M365 threat landscape and hunting techniques evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.