Modern attackers are no longer loud, opportunistic, or easy to detect. Many operate quietly, blend into normal activity, and deliberately avoid triggering alerts. As a result, relying solely on reactive detection leaves organizations exposed to threats that dwell undetected for weeks or months.

This installment of the SOC Analyst Study Notes series focuses on threat hunting, a proactive, analyst-driven discipline designed to uncover adversaries that evade traditional security controls. Building on the foundations of SOC operations and insider risk covered in earlier parts, Part III shifts attention from alert response to deliberate, hypothesis-driven investigation.

Rather than waiting for known indicators or signatures, threat hunting assumes the adversary may already be present and challenges analysts to actively search for abnormal behaviors, emerging techniques, and hidden compromise across the environment.

Download SOC Analyst Study Notes Part III here ⬇️

Soc Analyst Notes Part 3

2.16MB ∙ PDF file

Download

Download

Who this document is for

This study guide is designed for practitioners and learners looking to move beyond alert-centric SOC work:

• SOC analysts transitioning from reactive monitoring to proactive detection

• L1, L2, and L3 analysts supporting or leading threat hunts

• Blue team and detection engineering practitioners

• Security professionals working across SIEM, EDR, threat intelligence, and SOAR

• Students studying modern SOC workflows, MITRE ATT&CK, and adversary tradecraft

The progression is intentional, moving from core hunting concepts to methodologies, workflows, tools, environments, and real-world use cases.

First Time Seeing This? Please Subscribe

Threat Hunting Overview

Threat hunting is a proactive security process where analysts actively search through systems, logs, and telemetry to identify threats that automated tools fail to detect. Unlike traditional detection, which is alert-driven and dependent on known indicators, hunting is hypothesis-driven and human-led.

At its core, threat hunting aims to:

• Reduce attacker dwell time

• Identify stealthy or novel attack techniques

• Strengthen detection rules through feedback

• Expose visibility gaps in logging and telemetry

Threat hunting reframes the SOC mindset. Instead of asking “What alerts fired?”, analysts ask, “If an attacker were here, how would they behave?”

Threat Hunting vs Traditional Detection

Threat hunting and traditional detection serve complementary but fundamentally different roles.

Traditional detection is reactive, automated, and optimized for known threats using signatures, rules, and IOCs. Threat hunting is proactive, exploratory, and focused on behavioral anomalies and attacker TTPs.

Where traditional detection produces alerts, hunting produces new detections, improved coverage, and deeper understanding of the environment. One responds to threats that are already known. The other discovers threats that were not yet understood.

Types of Threat Hunting

Threat hunting is not a single technique. The document outlines three primary hunting approaches, each serving a different purpose.

Structured Hunting

Structured hunts are framework-driven and based on known attacker behaviors. Analysts use sources such as MITRE ATT&CK to systematically investigate specific techniques like credential dumping or lateral movement.

This approach is repeatable, consistent, and ideal for ensuring coverage of high-confidence threat vectors.

Unstructured Hunting

Unstructured hunting is exploratory and often triggered by intuition, anomalies, or external tips. Analysts pivot freely across data sources, following evidence rather than predefined playbooks.

This method is especially valuable for discovering novel techniques or previously unknown threats but requires strong analytical skill.

Entity-Driven (Situational) Hunting

Entity-driven hunting focuses on specific high-risk users, assets, or environments. Hunts may be triggered by new vulnerabilities, organizational changes, or exposure of critical systems.

This risk-based approach aligns hunting activity with real business impact rather than abstract threat models

The Threat Hunting Lifecycle

Although creative in nature, threat hunting follows a structured lifecycle similar to the scientific method:

1. Trigger or Hypothesis Formation

2. Data Collection and Analysis

3. Investigation and Findings

4. Feedback and Response

Every hunt begins with a reason. Triggers may include anomalies in logs, threat intelligence, uncovered ATT&CK gaps, or analyst intuition. These are translated into testable hypotheses that guide the investigation.

Analysts then collect telemetry across endpoints, networks, identity systems, and cloud platforms, using correlation, timeline analysis, and anomaly detection to validate or refute the hypothesis.

Regardless of outcome, findings are operationalized through detection improvements, playbook updates, or logging enhancements. Hunting is not a one-time exercise but a continuous improvement cycle.

Tools Used in Threat Hunting

Threat hunting relies on breadth of visibility rather than a single tool. Common platforms include:

• SIEM for centralized log search

• EDR and endpoint telemetry tools

• Network analysis platforms for traffic metadata

• Threat intelligence platforms for enrichment

• YARA for file and memory scanning

• SOAR platforms to automate repeatable actions

The value of these tools is unlocked through analyst-driven investigation, not automation alone

Threat Hunting Across Environments

Threat hunting is environment-specific. On-premises networks, cloud platforms, endpoints, and OT environments each present unique risks and telemetry sources.

Hunters adapt their focus depending on whether they are investigating lateral movement, API abuse, fileless malware, or unsafe industrial protocols. Effective programs tailor hunts to where attackers are most likely to operate, not where tooling is most convenient.

SOC Tier Responsibilities in Threat Hunting

Threat hunting responsibilities vary by SOC tier.

• L1 analysts support hunting by identifying anomalies, validating alerts, and documenting normal behavior

• L2 analysts initiate structured and situational hunts, build timelines, and develop reusable queries

• L3 analysts design advanced hunts, create detections, close visibility gaps, and lead the overall hunting program

Together, these roles bridge reactive SOC operations with proactive defense.

Sample Hunting Use Cases

The document includes real-world hunting scenarios, including:

• Malware persisting by masquerading as legitimate Windows services

• Insider-driven data exfiltration via personal cloud storage

• Detection logic created from discovered attack patterns

Each use case demonstrates how hypotheses translate into findings, containment, and long-term defensive improvements.

Measuring Threat Hunting Effectiveness

Mature hunting programs track impact through metrics such as:

• New detection rules created from hunts

• Incidents discovered exclusively through hunting

• MITRE ATT&CK technique coverage

• Visibility gaps identified and remediated

• Progression through the Hunting Maturity Model

These metrics help SOC leadership justify investment and guide program evolution.

Conclusion

Threat hunting transforms the SOC from a reactive alert factory into an active defensive capability. By combining analyst intuition, structured workflows, and deep telemetry, organizations can detect threats that automated systems miss.

SOC analysts are central to this shift. When threat hunting is embedded into daily operations, security teams move closer to anticipating attackers rather than chasing them.

If you find this material useful, subscribe to CyberMaterial’s Substack for daily cybersecurity briefings, practical SOC insights, and structured learning resources.

If you find this material useful, subscribe to CyberMaterial’s Substack for daily cybersecurity briefings, practical insights, and structured learning resources.