Sign In
In this section

TH1.5 Concluding the Hunt

3-4 hours · Module 1 · Free
Operational Objective
A hunt without a conclusion is a hunt without value. The conclusion step formalizes the outcome — hypothesis confirmed, hypothesis refuted, or hypothesis inconclusive — and triggers the appropriate action: IR escalation, negative finding documentation, or refinement for re-hunt. This subsection teaches you to close hunts decisively, document conclusions for organizational memory, and handle the edge cases that make conclusions ambiguous.
Deliverable: The ability to formally conclude a hunt with a documented outcome, appropriate escalation, and a clear record that the organization can reference.
⏱ Estimated completion: 20 minutes

Three possible outcomes

Every hunt ends in one of three states. The conclusion must be explicit — written down, not implied.

THREE HUNT OUTCOMES — EVERY HUNT ENDS IN ONE ANALYSIS COMPLETE CONFIRMED 3+ dimensions correlated → Escalate to IR immediately → Convert query to detection rule REFUTED Full scope examined, no evidence → Document negative finding → Convert query to detection rule INCONCLUSIVE Ambiguous — gap prevents resolution → Document gap + reasoning → Refine hypothesis, re-queue

Figure TH1.5 — Three hunt outcomes. Confirmed and refuted hunts both produce detection rules. Inconclusive hunts produce refined hypotheses. Every outcome produces documentation.

Outcome 1: Hypothesis confirmed — compromise found

The analysis produced a high-confidence finding. Correlated evidence across three or more enrichment dimensions supports the conclusion that the technique described in the hypothesis has occurred in your environment.

// Dwell time compression for a hunt-discovered compromise
// Run after identifying the compromised account and earliest evidence
let compromisedUser = "j.morrison@northgateeng.com";
let huntDiscoveryDate = datetime(2026-03-28);
// Find the earliest anomalous activity for this user
SigninLogs
| where TimeGenerated between (ago(90d) .. huntDiscoveryDate)
| where UserPrincipalName == compromisedUser
| where IPAddress in ("203.0.113.47")  // Attacker IP from hunt finding
| summarize EarliestAttackerActivity = min(TimeGenerated)
| extend HuntDiscovery = huntDiscoveryDate
| extend DwellDays = datetime_diff('day', HuntDiscovery, EarliestAttackerActivity)
// DwellDays = how long the attacker was present before hunting found them
// Without hunting, dwell time would have continued until a rule fired
//   or external notification arrived — potentially weeks or months longer
// The difference is the dwell time compression attributable to this hunt
Expand for Deeper Context

Immediate action: Escalate to IR. The escalation package includes:

- The finding: what was discovered, which user/device/application is affected - The evidence: the query chain that produced the finding, with result data - The timeline: when the anomalous activity began, the dwell time estimate - The initial scope assessment: how many accounts, devices, or systems appear affected - The recommended containment: session revocation, password reset, OAuth consent removal, inbox rule deletion — whatever is appropriate for the technique

Do not wait for the hunt to complete before escalating a confirmed compromise. If query 3 of 8 produces a high-confidence finding, escalate immediately. The remaining queries can continue in parallel with the IR response, or they can be incorporated into the IR investigation scope.

The escalation is the highest-value hunting output. It is a compromise discovered before any detection rule fired — an intrusion that would have continued undetected without the hunt.

When you escalate, calculate the dwell time compression — the key metric that proves hunting's value for this specific finding:

Outcome 2: Hypothesis refuted — no evidence found

The hunt examined the full scope (all data sources, full time window, entire population) and found no evidence supporting the hypothesis. The technique either has not occurred in your environment during the hunt window or has occurred in a way that left no trace in the available telemetry.

This is a positive outcome. Document it:

"Hunt [ID]: Tested hypothesis [statement]. Examined [data sources] across [time window] for [population]. No evidence of [technique] found. Hypothesis refuted for the period [start date] to [end date]."

The documentation serves four purposes. It reduces organizational uncertainty — before the hunt, you did not know whether this technique had been used against you. Now you know it has not (within the bounds of your data). It satisfies compliance requirements for proactive monitoring. It establishes a baseline for future comparison. And it feeds the Convert step — the hunt query, now validated against your data, becomes a candidate for deployment as a scheduled analytics rule.

Outcome 3: Hypothesis inconclusive

The hunt produced results that are ambiguous after analysis. One or two enrichment dimensions show anomalies, but correlated evidence is insufficient for a high-confidence finding. Legitimate explanations remain plausible.

This outcome requires judgment. Three options:

Investigate further within the hunt. Run additional enrichment queries. Expand to adjacent data sources. Check longer time windows. If additional analysis resolves the ambiguity (either confirming or refuting), conclude accordingly.

Escalate with caveats. If the ambiguous finding has high enough potential impact (privilege escalation, data exfiltration indicators), escalate to IR as a medium-confidence lead rather than a confirmed finding. The IR team investigates further with access to additional context (user interviews, endpoint forensics) that the hunter may not have.

Document and re-hunt. If the ambiguity cannot be resolved with available data, document the inconclusive finding with the specific gap that prevented resolution: "Unable to determine whether user X's SharePoint access was legitimate without confirming their project involvement — manager confirmation needed." Add a refined hypothesis to the backlog for the next hunt cycle, incorporating the additional data source or context needed.

The inconclusive outcome is operationally uncomfortable but methodologically sound. Pretending ambiguous results are either confirmed or refuted is worse than documenting the ambiguity honestly. The hunt record for an inconclusive result should explain what was found, what prevented a definitive conclusion, and what would resolve the ambiguity.

Documenting negative findings

Negative findings deserve the same documentation rigor as positive findings. The temptation is to document positive findings thoroughly (they are interesting) and dismiss negative findings with a single sentence (they are not). This asymmetry undermines the hunting program because it makes the program appear unproductive.

A well-documented negative finding answers:

- What hypothesis was tested? - What data sources were examined? - What time window was covered? - What population was included? - What queries were run (with result counts)? - What was the conclusion? - What detection rule was produced from the hunt query?

This documentation proves the organization is proactively monitoring for the technique. It proves the technique was not found — which is different from proving it was not looked for. And it provides the raw material for the Convert step, where the hunt query becomes a permanent detection.

Try it yourself

Exercise: Write a hunt conclusion

Using the results from TH1.3 and TH1.4 exercises, write a formal conclusion. Use one of the three outcome templates:

If you found a high-confidence finding: Write the escalation package — finding, evidence, timeline, scope assessment, recommended containment.

If you found no evidence: Write the negative finding documentation — hypothesis, data sources, time window, population, conclusion, and note which query is a candidate for detection rule conversion.

If results were ambiguous: Write the inconclusive documentation — what was found, what prevented resolution, and what would resolve it.

This conclusion is the fifth section of your hunt record. It determines what happens next: IR escalation, detection rule creation, or backlog refinement.

The documentation requirement

A hunt without documentation is an investigation that happened once and taught nobody. The hunt conclusion document captures: the original hypothesis, the data sources queried, the KQL patterns used, the findings (positive or negative), and the recommended actions. Negative findings — hunts that confirmed the hypothesis was wrong — are valuable because they narrow the search space for future hunts and validate that certain threat scenarios are not present in the environment. Document negative findings with the same rigor as positive ones.

⚠ Compliance Myth: "An inconclusive hunt is a failed hunt"

The myth: If the hunt does not produce a clear yes or no, the methodology failed. Hunts should always reach a definitive conclusion.

The reality: Real data is ambiguous. Attackers deliberately create ambiguity — their techniques are designed to look like legitimate activity. An inconclusive result that honestly documents the ambiguity, identifies the specific gap that prevented resolution, and adds a refined hypothesis to the backlog is more valuable than a false-confident conclusion that closes the investigation prematurely. Inconclusive hunts also reveal environmental limitations — missing data sources, inadequate baselines, insufficient enrichment — that, when addressed, improve the next hunt's ability to reach a conclusion.

Extend this approach

In organizations with formal SOC reporting, hunt conclusions should be included in monthly or quarterly security operations reports. The format: "X hunts conducted. Y hypotheses confirmed (escalated to IR). Z hypotheses refuted (negative findings documented). W hypotheses inconclusive (refined and re-queued)." This reporting demonstrates proactive security activity to leadership and audit. TH15 covers hunt reporting for leadership audiences in detail.

📋 Operational Artifact — Hunt Conclusion Templates

Confirmed finding:

"Hunt [ID] confirmed hypothesis [statement]. Evidence: [summary of correlated indicators across enrichment dimensions]. Escalated to IR as [incident ID]. Recommended containment: [actions]. Hunt query [#] submitted for detection rule conversion."

Negative finding:

"Hunt [ID] tested hypothesis [statement]. Examined [tables] across [date range] for [population]. [N] queries executed. No evidence of [technique] found. Hypothesis refuted for this period. Hunt query [#] submitted for detection rule conversion as [rule name]."

Inconclusive:

"Hunt [ID] tested hypothesis [statement]. Analysis produced [N] results with medium confidence. Resolution blocked by [specific gap — e.g., missing data source, unable to confirm user travel]. Refined hypothesis added to backlog as [new hypothesis ID]. Re-hunt scheduled for [date] with [additional data/context]."

References Used in This Subsection

  • Course cross-references: TH0.7 (value of negative findings), TH1.6 (detection rule conversion), TH15 (hunt reporting for leadership)

NE environmental considerations

NE's detection environment includes specific factors that influence this rule's operation:

Device diversity: 768 P2 corporate workstations with full Defender for Endpoint telemetry, 58 P1 manufacturing workstations with basic cloud-delivered protection, and 3 RHEL rendering servers with Syslog-only coverage. Rules targeting DeviceProcessEvents operate with full fidelity on P2 devices but may have reduced visibility on P1 devices. Manufacturing workstations in Sheffield and Sunderland represent a detection gap for endpoint-level detections.

Expand for Deeper Context

Network topology: 11 offices connected via Palo Alto SD-WAN with full-mesh connectivity. The SD-WAN firewall logs feed CommonSecurityLog in Sentinel. Cross-site lateral movement generates firewall allow events that correlate with DeviceLogonEvents — enabling multi-source detection that single-table rules cannot achieve.

User population: 810 users with distinct behavioral profiles — office workers (predictable hours, consistent applications), field engineers (variable hours, travel patterns), IT administrators (elevated privilege, broad access patterns), and manufacturing operators (fixed shifts, limited application access). Each user population has different detection baselines.

Decision point

You have time for one hunt this quarter. Do you hunt for the threat in the latest advisory or for the gap in your ATT&CK coverage matrix?

Hunt the coverage gap. Advisories describe threats that are CURRENT but may not target NE. Coverage gaps describe techniques that COULD target NE and would succeed undetected. The coverage gap hunt produces a detection rule (closing the gap permanently). The advisory-driven hunt produces a point-in-time assessment (confirming the specific threat is not present today). Both are valuable — but the coverage gap hunt has a longer-lasting impact because it produces a permanent detection improvement.

A hunt query returns 200 results. You have 4 hours remaining in the hunt window. You can investigate 20 results thoroughly or review all 200 superficially. Which approach produces better hunt outcomes?
Review all 200 — you might miss a critical finding in the 180 you skip.
Investigate 20 thoroughly. A superficial review of 200 results produces 200 'looked at it, seemed okay' assessments that provide no investigative value and no documentation for future reference. A thorough investigation of 20 results produces: confirmed findings (true positives requiring remediation), confirmed benign patterns (documented baselines for future comparison), and inconclusive results (flagged for monitoring). Prioritise the 20 by: highest anomaly score, highest-value assets involved, and highest-risk users involved. Document why the remaining 180 were not investigated and recommend a follow-up hunt with refined query criteria to reduce the result set.
Investigate 20 — but only if they are from the most recent 24 hours.
Neither — refine the query first to reduce the result set below 50.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You understand the detection gap and the hunt cycle.

TH0 showed you what detection rules fundamentally cannot catch. TH1 gave you the hypothesis-driven methodology that closes that gap. Now you run the hunts.

  • 10 complete hunt campaigns — from hypothesis through KQL execution through finding disposition, each campaign based on a real TTP
  • 70 production hunt queries — every one mapped to MITRE ATT&CK and tested against realistic telemetry
  • Advanced KQL for hunting — UEBA composite risk scoring, retroactive IOC sweeps, and hunt management metrics
  • Hypothesis-Driven Hunt Toolkit lab pack — 30 days of realistic M365 and endpoint telemetry with multiple attack patterns seeded in
  • TH16 — Scaling hunts across a team — the operating model for a production hunt program
Unlock the full course with Premium See Full Syllabus
← Previous Next →