The Detection Gap — Why Mature SOCs Still Need Hunting

What this course is

This is a practical threat hunting course for Microsoft 365 and Entra ID environments. Seventeen modules take you from the business case for hunting through ten hypothesis-driven hunt campaigns to the operational framework for building a sustainable hunting program.

Your analytics rules are running. Your detection engineering team ships new rules every sprint. Defender XDR generates incidents automatically. Sentinel fires scheduled alerts around the clock. The dashboard is green. And somewhere in your environment, an attacker has been present for eleven days.

That is the detection gap — the space between what your rules catch and what is actually happening. Detection rules cover the known. Hunting finds the unknown. A SOC with 30% ATT&CK coverage has a 70% hunting surface — evidence of compromise sitting in the logs, waiting for someone to look. This course teaches you to look systematically: form a hypothesis from threat intelligence or ATT&CK gaps, scope the hunt, collect and analyze data with KQL, document findings, and convert what you find into detection rules that catch it automatically next time.

The hunt-to-detection pipeline is the principle the course is built on. What you hunt today, you detect tomorrow. Every hunt campaign ends with detection rule deployment — so the SOC's coverage grows permanently with every hunt cycle.

This course does not provide a synthetic lab. Every exercise runs against your production or developer M365 tenant. When you run the identity compromise hunt from TH4 against your own SigninLogs, the findings are real security findings. The course functions as a structured security audit of your M365 environment while teaching you the methodology to repeat it independently.

What this course teaches

Seventeen modules across three phases. TH0 and TH1 are free — no account required.

Phase 1 — Hunt Methodology and Advanced Toolcraft (TH0–TH3). You are here now. TH0 builds the business case — detection coverage gaps, dwell time data, the detection pyramid, ROI metrics, organizational readiness, and the leadership presentation that justifies dedicated hunting hours. TH1 teaches the six-step Hunt Cycle methodology used in every subsequent module: hypothesis formation, scoping, iterative collection, analysis, conclusion, and detection conversion. TH2 covers advanced KQL patterns for hunting — behavioral baselining with percentile and stdev, time-series anomaly detection with make-series, frequency analysis, behavioral clustering, entity pivoting, and graph semantics for process trees. TH3 maps your current detection coverage against ATT&CK, identifies gaps, scores them by threat relevance, and builds the prioritized hunt backlog that drives Phase 2.

Phase 2 — Hunt Campaigns (TH4–TH13). Ten self-contained campaigns, each targeting a specific threat domain. Identity compromise — AiTM, credential stuffing, password spray, MFA bypass, session hijacking, per-user authentication baselines (TH4). Cloud persistence — inbox rules, OAuth consent, MFA registration as persistence, Conditional Access manipulation, federated trust abuse (TH5). Privilege escalation — role assignment outside PIM, service principal abuse, emergency access misuse, Global Admin anomalies (TH6). Email-based threats — BEC from compromised accounts, internal phishing, vendor email compromise, mail flow rule manipulation (TH7). Data exfiltration — SharePoint bulk downloads, external sharing, Teams exfiltration, browser downloads to unmanaged devices (TH8). Endpoint threats — LOLBin abuse, process injection, defense evasion, C2 beaconing, fileless execution (TH9). Lateral movement — cloud token reuse, cloud-to-endpoint pivot, RDP/WMI/SMB, service account abuse, Azure AD Connect (TH10). Application and API abuse — shadow IT, OAuth risk scoring, Graph API abuse, dormant high-privilege apps, AI tool usage (TH11). Pre-ransomware — reconnaissance sequences, backup disruption, credential harvesting, staging, pre-encryption timeline correlation (TH12). Insider threat — data hoarding, behavioral deviation, resignation correlation, privilege abuse, after-hours bulk activity (TH13).

Each campaign follows the Hunt Cycle from TH1. Each produces a hunt report and detection rules you deploy to your own Sentinel workspace.

Phase 3 — Hunt Operations (TH14–TH16). Three modules that build hunting into an organizational capability. Program building — cadence models, prioritization scoring, staffing models, SOC integration, budget justification, the hunt program charter, and a 12-month maturity roadmap (TH14). Documentation and reporting — finding standards, negative finding communication, executive reports, technical reports, knowledge base architecture, program metrics (TH15). Scaling — scheduled query deployment, Sentinel hunt management, Jupyter notebooks with MSTICPy, continuous hunting dashboards, the maturity continuum from ad hoc to intelligence-driven, and the 90-day implementation plan (TH16).

You can study Phase 1 linearly (TH0–TH3 in order — they build the methodology). Phase 2 campaigns (TH4–TH13) can be completed in any order based on your threat priorities: if credential attacks are your top risk, start with TH4; if ransomware keeps you up at night, jump to TH12. Phase 3 requires hunting experience from Phase 2 — complete at least three campaigns before starting program operations.

Who this course is for

Anyone who wants to move from reactive alert triage to proactive threat hunting in a Microsoft environment. The course is built for self-directed learners at the intermediate-to-advanced level.

SOC analyst moving from reactive to proactive. You triage alerts and investigate incidents. You're good at responding to what the SIEM catches. You want to find the compromises that never generated an alert — the ones living in your logs that no rule is looking for. This course teaches you the structured methodology that turns ad hoc queries into repeatable hunt operations.

Detection engineer building hunt capability. You write analytics rules. You ship them every sprint. But how do you know which rules you need next? This course teaches the methodology that identifies gaps — by hunting for the threats your current rules miss. The hunt-to-detection pipeline closes the loop: every hunt finding becomes a new detection rule.

Hunt team lead building a program. You've been told to "start a hunting program." Phase 3 (TH14–TH16) covers cadence, prioritization, documentation, leadership reporting, metrics, automation, and the organizational material for building a sustainable capability — not just individual hunting skill.

Incident responder adding proactive capability. You investigate after the breach. Hunting finds the breach before it's reported. The analytical methodology is the same — the timing is different. This course teaches you to apply investigation skills proactively across M365 telemetry.

Anyone with a genuine interest in threat hunting. Whatever your background — transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you.

Prerequisites

Three required, one recommended. Read each and self-assess honestly.

SOC or security analyst experience (1+ years). You should understand what a SIEM does, what alert triage looks like, and what happens during an incident investigation. You don't need to have hunted before — the course teaches that. You do need to understand the operational context that hunting exists within.

Working KQL proficiency. You need to be comfortable with where, summarize, join, let, extend, and make-series without reference documentation. TH2 teaches advanced hunting patterns, not KQL fundamentals. If KQL is new, complete the Mastering KQL for Cybersecurity course on this platform first. If you can write a multi-table join with time-windowed correlation, you're ready.

Familiarity with Defender XDR and Sentinel. You should know how to navigate Advanced Hunting, how to run a query in Log Analytics, and what the Sentinel incident queue shows. If the Microsoft security stack is new, complete M365 Security Operations (Phases 1–2) first.

Recommended: detection engineering experience. Hunting produces hypotheses that become detection rules. If you've written analytics rules before (or completed the Detection Engineering course), the hunt-to-detection pipeline in this course will be immediately actionable. If not, TH1 teaches the conversion methodology from scratch.

Lab setup

Your environment is the lab. Everything runs against your own M365 tenant.

M365 environment (required). Production or developer tenant with Defender XDR Advanced Hunting and Sentinel. The hunts produce real findings in your own environment. A developer tenant (free, 25 E5 licenses — developer.microsoft.com/microsoft-365/dev-program) works for learning the methodology. Your production environment produces real security value — the course functions as a structured security audit.

Lab pack (downloadable). The course includes a threat hunting lab pack with 30 days of realistic M365 and endpoint telemetry (~4,000+ entries across 9 tables) with multiple attack chains hidden in legitimate baseline noise. Attack indicators are deliberately not labeled — you form hypotheses, write queries, and hunt. Plus ~70 KQL hunt queries, 10 structured hypotheses, and hunt program artifacts.

No local infrastructure required. No VMs, no third-party tools, no commercial licenses. Everything runs in the Defender XDR Advanced Hunting portal and Sentinel Log Analytics.

What you can skip: you don't need to configure anything before starting TH0. The first module is the business case and organizational readiness — content you read. Your M365 tenant needs to be active before Phase 2 campaigns (TH4 onward).

How the course is structured

Every hunt campaign in Phase 2 follows the six-step Hunt Cycle taught in TH1. You will encounter these elements in every campaign module.

Hypothesis formation. Every hunt starts with a specific, testable hypothesis derived from threat intelligence, ATT&CK coverage gaps, or prior incident findings. The hypothesis is scoped before the first query runs.

Iterative KQL collection. Broad queries narrow to targeted queries. Each step is documented with the rationale for the refinement. You learn to iterate efficiently rather than writing one massive query.

Analysis with contextual enrichment. Separating signal from noise. Behavioral baselining, statistical outlier detection, and cross-table correlation. Every finding is classified: true positive, false positive, negative (no finding — also valuable), or informational.

Hunt documentation. Every hunt produces a structured report — findings, methodology, evidence, and recommendations. Negative findings are documented because they reduce organizational uncertainty.

Detection conversion. The hunt-to-detection pipeline. Every hunt query that found something becomes a Sentinel analytics rule. What you hunted manually today, you detect automatically tomorrow.

Module completion pattern. Each campaign module has fifteen to eighteen subsections covering the full Hunt Cycle, a module summary, and a Check My Knowledge subsection. Phase 1 modules are methodology-focused. Phase 2 modules are campaign-focused. Phase 3 modules are operations-focused.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks.

Phase 1 (TH0–TH3): One to two weeks. TH0 is the business case (3–4 hours). TH1 is the Hunt Cycle methodology (3–4 hours). TH2 is advanced KQL patterns (4–5 hours). TH3 is ATT&CK coverage analysis and backlog building (3–4 hours).

Phase 2 (TH4–TH13): Five to eight weeks at five to eight hours per week. Ten campaign modules. Each campaign takes 2–4 hours depending on the complexity of the threat domain. TH4 (identity compromise) and TH12 (pre-ransomware) are the longest.

Phase 3 (TH14–TH16): One to two weeks. Three operations modules. TH14 (program building) is the most intensive.

Full course at five to eight hours per week: ten to eighteen weeks. Recommended pace: one to two modules per week. Run every hunt against your own environment — the methodology develops through practice, not reading.

Start here

Go to TH0.1 — The Detection Coverage Illusion next. It quantifies the gap between "we have analytics rules" and "we can detect this attack" — the number that should make every SOC uncomfortable. The detection coverage illusion is the foundation for everything the course builds: if you don't understand what your rules miss, you can't know where to hunt.

After TH0.1, the remaining TH0 subsections cover the dwell time problem with industry data (TH0.2), the detection pyramid and why detection engineering alone cannot close the gap (TH0.3–TH0.4), the M365 threat landscape driving hunting demand (TH0.5), where hunting sits relative to IR and detection engineering (TH0.6), the ROI argument in business terms (TH0.7), organizational readiness assessment (TH0.8), common hunting myths (TH0.9), M365 data sources for hunting (TH0.10), what makes a good hunter (TH0.11), hunting maturity models (TH0.12), the leadership case (TH0.13), program metrics (TH0.14), the first 90 days plan (TH0.15), a module summary (TH0.16), and a scenario-based knowledge check (TH0.17).

Work through TH0 in order. The business case and organizational readiness framework TH0 establishes are what separates a hunting program from ad hoc queries.