Sign In
In this section

TH0.3 The Detection Pyramid

3-4 hours · Module 0 · Free
Operational Objective
Security operations deal with three categories of threats: the ones your rules are built to catch, the ones you suspect exist but have no rule for, and the ones you have never imagined. Each category requires a different operational approach — and most SOCs only resource the first. This subsection introduces the detection pyramid as the framework for understanding where detection engineering, threat hunting, and anomaly detection each operate, why all three are necessary, and what happens when any layer is missing.
Deliverable: A clear mental model for where hunting sits in your security operation's threat visibility architecture — and the ability to explain why detection rules alone leave two of three threat categories unaddressed.
⏱ Estimated completion: 25 minutes

Three categories of threat

Not all threats are the same, and the operational response to each category is fundamentally different. Confusing these categories — treating all threats as if they were the same kind of problem — is one of the most common strategic errors in security operations. It leads to organizations that invest heavily in detection engineering and then cannot understand why sophisticated attacks still succeed.

Known-known threats. The attack technique is documented. The telemetry that records it is identified. A detection rule exists and is deployed. When the attack occurs, an alert fires. This is the domain of detection engineering — and it is the only category that automated detection covers.

// Which pyramid layers are producing findings?
SecurityAlert
| where TimeGenerated > ago(90d)
| extend DetectionLayer = case(
    ProviderName == "ASI Scheduled Alerts", "Known-Known: Custom Rules",
    ProviderName has "MCAS", "Known-Known: Defender for Cloud Apps",
    ProviderName has "MDATP", "Known-Known: Defender for Endpoint",
    ProviderName has "IPC", "Unknown-Unknown: Identity Protection (UEBA)",
    ProviderName has "Azure Sentinel" and AlertName has "Anomal",
        "Unknown-Unknown: Anomaly Detection",
    "Known-Known: Built-in Detection")
| summarize AlertCount = count(), DistinctAlerts = dcount(AlertName)
    by DetectionLayer
| sort by AlertCount desc
// If "Unknown-Unknown" layers return zero or near-zero results,
// your anomaly detection layer is either not deployed or not producing
// If all results are "Known-Known" — only the base of the pyramid is active
// The Known-Unknown layer (hunting) will never appear here because
//   hunting does not produce automated alerts — it produces findings
//   that are documented in hunt records, not in the SecurityAlert table
Expand for Deeper Context

Examples: phishing email delivery matching a known URL pattern. Malware execution matching a known file hash. Sign-in from an IP address on a threat intelligence blocklist. Credential stuffing producing a volume of failed authentications that exceeds the rule threshold.

Known-unknown threats. The attack technique is known — it appears in MITRE ATT&CK, in threat intelligence reports, in conference presentations. But no detection rule exists in your environment for this specific technique, or the rule that exists has been evaded by a variant the rule author did not anticipate. You know this category of attack is possible. You suspect it may be occurring. But you have no automated mechanism to confirm or deny it.

Examples: OAuth consent phishing where the malicious application name does not match your rule's pattern list. AiTM session hijacking from infrastructure that is not yet in any threat intelligence feed. Lateral movement via pass-the-ticket where the Kerberos anomaly is too subtle for your current detection threshold. Data exfiltration via SharePoint download that falls just below your volume alert trigger.

This is the domain of threat hunting. The technique is known. The hypothesis is formable. The data exists in your logs. What is missing is someone looking.

Unknown-unknown threats. The attack technique has not been documented. No one has published detection logic for it. No one has written an ATT&CK entry for it. It is a novel technique, a zero-day exploitation of a platform behavior, or a creative combination of legitimate operations that no one has previously identified as an attack path. You cannot hunt for something you cannot hypothesize.

Examples: a novel method of abusing a legitimate M365 feature that has not been reported. An attacker using a combination of Graph API calls that individually look benign but collectively constitute a data exfiltration pipeline. A supply chain compromise through an application integration that security researchers have not yet analyzed.

This is the domain of anomaly detection — statistical baselining that identifies deviation from normal without requiring a predefined hypothesis. The system does not know what the attack looks like. It knows what normal looks like, and it flags when something deviates.

THE DETECTION PYRAMID — THREE LAYERS OF THREAT VISIBILITY KNOWN-KNOWN Detection rules fire. Automated. Highest volume, lowest sophistication. DETECTION ENGINEERING KNOWN-UNKNOWN Technique known. No rule deployed. Hypothesis formable. THREAT HUNTING UNKNOWN UNKNOWN Novel technique. No hypothesis. ANOMALY DETECTION ~30% of ATT&CK surface ~60% of ATT&CK surface Beyond ATT&CK Automated, 24/7 Human-driven, periodic Statistical, continuous Most SOCs invest only in the bottom layer. The pyramid narrows — but the threats at the top cause the most damage.

Figure TH0.3 — The detection pyramid. Detection engineering covers the base (known-known). Hunting covers the middle (known-unknown). Anomaly detection covers the apex (unknown-unknown). An organization that only invests in the base has no visibility into the two categories that produce the most damaging intrusions.

The paradox at the top

The pyramid narrows as you move up — there are fewer unknown-unknown techniques than known-unknown techniques, and fewer known-unknown techniques than known-known techniques. But the damage distribution is inverted. The known-known threats at the base are high-volume but relatively low-impact individually — commodity phishing, opportunistic credential stuffing, known malware families. They produce alerts, they consume SOC analyst time, and they are important to detect. But they rarely produce the intrusions that make headlines.

The threats at the top of the pyramid — the novel techniques, the carefully planned intrusions, the adversaries who study your defenses before acting — are low-volume but catastrophically high-impact. These are the nation-state actors with 90-day dwell times. The ransomware affiliates who spend two weeks mapping your environment before encrypting it. The insider who finds a data exfiltration method that no one has thought to monitor. They succeed specifically because they operate outside the known-known layer.

A SOC that invests exclusively in detection engineering is optimizing for the base of the pyramid. It will catch the most threats by volume. It will produce the busiest incident queue. And it will be completely blind to the threats that cause the most damage — because those threats are designed to operate above the detection rule layer.

How the three layers interact

The three layers are not independent. They feed each other in a cycle that makes the entire security operation smarter over time — but only if all three are active.

Hunting feeds detection engineering. Every successful hunt that identifies a threat technique in the known-unknown layer produces at least one new detection rule. The hunt validates that the technique occurs in your environment, confirms which telemetry records it, and produces tested KQL logic that can be deployed as an analytics rule. The technique moves from the known-unknown layer (hunting) to the known-known layer (detection). The detection gap shrinks. This is the hunt-to-detection pipeline that runs through every campaign module in this course.

Anomaly detection feeds hunting. When a behavioral baseline flags an anomaly — a user whose data access pattern deviates from their 90-day normal — it does not fire an alert the way a detection rule does. It produces a lead. That lead becomes a hunting hypothesis: "User X's SharePoint download volume tripled this week. Is this a legitimate project or data exfiltration?" The hunt investigates the anomaly, confirms or refutes the hypothesis, and either escalates to IR or documents the legitimate explanation. The anomaly moves from the unknown-unknown layer (baseline deviation) to the known-unknown layer (hunting investigation).

Detection engineering feeds hunting prioritization. Detection rules that fire produce investigation data. Investigation findings reveal attack patterns. Those patterns identify gaps — techniques the attacker used that were not detected, or were detected late. Each gap becomes a hunting hypothesis. The detection layer's failures are the hunting layer's backlog. TH3 formalizes this process through ATT&CK coverage analysis.

Hunting feeds anomaly detection. Hunts that examine behavioral patterns — authentication baselining in TH4, download volume analysis in TH8, process frequency analysis in TH9 — produce the baselines that anomaly detection uses. Without hunting to validate what "normal" looks like, anomaly detection has no calibrated reference point. And without hunting to investigate what anomaly detection flags, the anomalies are just numbers in a workbook that no one acts on.

The cycle works only if all three layers are staffed and active. Remove hunting, and the known-unknown layer is unmonitored — detection rules only improve when someone happens to notice a gap. Remove anomaly detection, and novel techniques are invisible. Remove detection engineering, and the known-known threats overwhelm the SOC with uninvestigated compromises. The three layers are complementary, not competing.

Where most SOCs stop

Most M365 security operations invest in one layer: detection engineering. They build analytics rules. They tune alert thresholds. They subscribe to threat intelligence feeds that automatically create detection indicators. They review Microsoft's recommended detections and deploy the ones relevant to their environment. This is important work, and they should keep doing it.

But it is only one-third of the visibility architecture. The other two-thirds — hunting the known-unknown and baselining the unknown-unknown — are either unstaffed, unscheduled, or treated as "nice to have if we get time." They never get time, because the known-known layer generates enough alerts to consume every available analyst hour.

This is the operational trap that hunting breaks. Hunting is not additional work layered on top of an already overloaded SOC. It is the work that discovers the threats no amount of alert triage will surface — and produces the detection rules that make the alert layer more effective, reducing the noise that overloads the SOC in the first place.

TH14 (Building a Hunt Program) addresses the practical question of how to allocate hunting hours within a resource-constrained SOC. The answer is not "hire a dedicated hunt team" — most organizations cannot. The answer is structured allocation: a defined number of hours per week or month, protected from the alert queue, dedicated to executing hunt campaigns from a prioritized backlog. The detection rules those hunts produce improve the alert layer, which reduces the analyst hours spent on false positives, which frees capacity for more hunting. The flywheel turns.

Anomaly detection in M365

This course focuses on hunting — the known-unknown layer. But the relationship to anomaly detection is important because some of the KQL techniques taught in TH2 serve both purposes.

series_decompose_anomalies() in KQL is a hunting tool when you use it to analyze a specific user's download volume during a hunt campaign. It is an anomaly detection tool when you deploy it as a scheduled query that runs daily against all users and surfaces deviations for review.

autocluster() is a hunting tool when you use it to identify patterns in hunt results. It is an anomaly detection tool when you deploy it against sign-in logs to find authentication events that do not fit any established cluster.

The boundary between hunting and anomaly detection is operational, not technical. The same KQL function serves both purposes. The difference is intent: hunting starts with a hypothesis and uses the tool to test it. Anomaly detection starts with a baseline and uses the tool to flag deviations that may generate hypotheses.

This course teaches both applications, but the primary focus is the hypothesis-driven hunting that lives in the middle layer of the pyramid — because that is where the largest gap exists in most M365 security operations.

Measuring your pyramid investment

The following query categorizes your recent security alerts by detection source — giving you a rough view of which pyramid layers are producing findings in your environment:

Try it yourself

Exercise: Map your current investment across the pyramid

Categorize your SOC's current operational activities:

Known-known (detection engineering): How many analytics rules are deployed? How many were created or updated in the last 90 days? Is there a detection engineering backlog? How many hours per week are dedicated to building and maintaining rules?

Known-unknown (hunting): How many structured hunt campaigns were executed in the last 90 days? Is there a hunt backlog? Are hunt hours protected from the alert queue? Do hunts produce documented findings and detection rules?

Unknown-unknown (anomaly detection): Are behavioral baselines deployed? Do you use UEBA (User and Entity Behavior Analytics)? Are anomaly-flagged events reviewed by an analyst, or do they sit in a workbook nobody checks?

If the answer to most of the hunting and anomaly detection questions is "no" or "not systematically" — you are operating on one layer of the pyramid. That is the gap this course addresses.

⚠ Compliance Myth: "UEBA handles threat hunting — we enabled Microsoft Sentinel UEBA and we are covered"

The myth: User and Entity Behavior Analytics (UEBA) is threat hunting. Enabling UEBA in Sentinel means you have a hunting capability.

The reality: UEBA operates in the unknown-unknown layer — it flags behavioral anomalies based on statistical deviation from baselines. It does not formulate hypotheses, it does not investigate its own findings, and it does not produce detection rules. UEBA flags anomalies. A human must investigate those anomalies to determine whether they indicate compromise. That investigation is hunting. Without an analyst reviewing UEBA anomalies, investigating the flagged behavior, and documenting findings, UEBA is an unread report — data without action. UEBA is a valuable input to hunting, not a replacement for it.

Extend this model

The detection pyramid applies to any security operation, not only M365. If your organization runs multiple SIEM platforms or EDR solutions, the three layers exist in each — and the gaps are often in the same place (hunting and anomaly detection under-resourced relative to detection engineering). The pyramid is a useful framework for any conversation about security operations investment because it makes the resource imbalance visible: ask leadership to estimate what percentage of their security budget funds each layer. The answer is usually 80%+ on the base (tooling, detection engineering, alert triage) and near-zero on the middle and top.

📋 Operational Artifact — Detection Pyramid Self-Assessment

Current State Assessment

Known-known (detection engineering):

Analytics rules deployed: _____ | Rules created/updated last 90 days: _____ | Weekly hours dedicated: _____

Known-unknown (hunting):

Hunt campaigns last 90 days: _____ | Hunt backlog exists: Y/N | Hunt hours protected: Y/N | Hunts produce detection rules: Y/N

Unknown-unknown (anomaly detection):

Behavioral baselines deployed: Y/N | UEBA enabled: Y/N | Anomaly review cadence: _____ | Anomaly findings investigated: Y/N

Investment distribution (estimate):

Detection engineering: _____% | Hunting: _____% | Anomaly detection: _____%

If hunting and anomaly detection are below 20% combined: The middle and top of your pyramid are unmonitored. The threats designed to evade detection rules — the ones that cause the most damage — have no visibility layer. This course addresses the hunting gap. TH2 introduces the KQL techniques that support anomaly detection alongside hunting.

References Used in This Subsection

Decision point

You have time for one hunt this quarter. Do you hunt for the threat in the latest advisory or for the gap in your ATT&CK coverage matrix?

Hunt the coverage gap. Advisories describe threats that are CURRENT but may not target NE. Coverage gaps describe techniques that COULD target NE and would succeed undetected. The coverage gap hunt produces a detection rule (closing the gap permanently). The advisory-driven hunt produces a point-in-time assessment (confirming the specific threat is not present today). Both are valuable — but the coverage gap hunt has a longer-lasting impact because it produces a permanent detection improvement.

A hunt query returns 200 results. You have 4 hours remaining in the hunt window. You can investigate 20 results thoroughly or review all 200 superficially. Which approach produces better hunt outcomes?
Review all 200 — you might miss a critical finding in the 180 you skip.
Investigate 20 thoroughly. A superficial review of 200 results produces 200 'looked at it, seemed okay' assessments that provide no investigative value and no documentation for future reference. A thorough investigation of 20 results produces: confirmed findings (true positives requiring remediation), confirmed benign patterns (documented baselines for future comparison), and inconclusive results (flagged for monitoring). Prioritise the 20 by: highest anomaly score, highest-value assets involved, and highest-risk users involved. Document why the remaining 180 were not investigated and recommend a follow-up hunt with refined query criteria to reduce the result set.
Investigate 20 — but only if they are from the most recent 24 hours.
Neither — refine the query first to reduce the result set below 50.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You understand the detection gap and the hunt cycle.

TH0 showed you what detection rules fundamentally cannot catch. TH1 gave you the hypothesis-driven methodology that closes that gap. Now you run the hunts.

  • 10 complete hunt campaigns — from hypothesis through KQL execution through finding disposition, each campaign based on a real TTP
  • 70 production hunt queries — every one mapped to MITRE ATT&CK and tested against realistic telemetry
  • Advanced KQL for hunting — UEBA composite risk scoring, retroactive IOC sweeps, and hunt management metrics
  • Hypothesis-Driven Hunt Toolkit lab pack — 30 days of realistic M365 and endpoint telemetry with multiple attack patterns seeded in
  • TH16 — Scaling hunts across a team — the operating model for a production hunt program
Unlock the full course with Premium See Full Syllabus
← Previous Next →