Module 1: The Hunt Cycle — A Structured Methodology
The Hunt Cycle: A Structured Methodology
Most analysts who hunt do it ad hoc. They open Advanced Hunting, write a query based on something they read in a threat report that morning, scan the results, and move on. If the query returns nothing interesting, the hunt is “done.” If it returns something suspicious, they investigate — but without a framework for determining whether the suspicious result is actually a finding or noise they do not yet understand.
Ad hoc hunting is better than no hunting. But it has three problems that prevent it from producing consistent, measurable value. It is not documented, so the organization cannot learn from it. It is not structured, so the analyst cannot distinguish between “no threat present” and “wrong query.” And it does not produce detection rules, so the same technique must be hunted again next month because no automated coverage was created.
The Hunt Cycle replaces ad hoc querying with a structured, repeatable, documented process. Six steps. Every campaign module in this course follows them. Every hunt you run after completing this course follows them. The structure is what makes hunting an organizational capability rather than an individual skill.
The six steps
1. Hypothesize — Formulate a specific, testable prediction about attacker behavior in your environment. Not a question (“are there threats?”) but a prediction (“compromised accounts will show authentication from IPs not in the user’s 30-day baseline”).
2. Scope — Define what you are searching, where, and when. Data sources, time window, target population. Boundaries set before the first query runs.
3. Collect — Execute KQL queries. Iterative — start broad, narrow based on results. Document every query, not just the ones that produced findings.
4. Analyze — Separate legitimate activity from suspicious activity using contextual enrichment. This is where hunting judgment lives.
5. Conclude — Confirm or refute the hypothesis. Document the finding — positive or negative. Escalate to IR if compromise is found.
6. Convert — Turn validated hunt queries into detection rules. What you hunted today, you detect automatically tomorrow.
Start with TH1.1 to learn how to formulate hypotheses that produce results.