Sign In
Proactive

Hypothesis-Driven Hunting for Detection Engineers, Security Engineers, and Hunt Team Leads

Aligned to MITRE ATT&CKMandiant tradecraftSigma rulesNIST CSF 2.0

Threat Hunting in Microsoft 365

Find what your detection rules miss — systematically, repeatedly, with evidence.

Run hypothesis-driven threat hunts across the M365 stack. Build hunt hypotheses from ATT&CK coverage gaps and threat intelligence, write the KQL queries that test them, and execute ten complete hunt campaigns targeting identity compromise, cloud persistence, privilege escalation, email threats, data exfiltration, endpoint threats, lateral movement, and pre-ransomware activity. You finish with the methodology and the hunt library to build threat hunting into an organizational capability.

Start Free — No Account Needed See Pricing
What you'll deploy
10 complete hypothesis-driven hunt campaigns across identity, email, and endpoint
Hunt documentation templates with hypothesis, data sources, and findings
Sentinel hunting playbooks ready to schedule in your environment
Baseline queries that distinguish normal from anomalous in your tenant
Hunt-to-detection pipeline: every finding becomes an analytics rule
MITRE ATT&CK-mapped hunting coverage tracker
HUNT CYCLE — FROM HYPOTHESIS TO DETECTION RULE HYPOTHESIZE Compromised accounts show auth pattern anomalies Source: Threat intel + ATT&CK coverage gap + prior IR findings SCOPE SigninLogs + AADNonInteractive | 30-day window | All users Boundaries set before first query runs COLLECT KQL: first-seen device + first-seen location per user Iterative queries — broad → refined → targeted ANALYZE 3 accounts: new device + new country within 24 hours Separate legitimate travel from account takeover CONCLUDE 1 confirmed compromise → escalate to IR | 2 legitimate → document Negative findings documented — reduces organizational uncertainty CONVERT Hunt query → Sentinel analytics rule → permanent detection What you hunted today, you detect automatically tomorrow Full program 10 campaigns 3 phases 30–40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Build hunt hypotheses from ATT&CK coverage gaps and threat intelligence
Write KQL hunt queries targeting identity, persistence, and exfiltration
Execute structured hunt campaigns across the M365 stack
Distinguish attacker activity from legitimate noise in hunt results
Build threat hunting into a repeatable organizational capability
Premium tier | 17 modules across 3 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 18 modules

Phase 1 — Hunt Methodology & Advanced Toolcraft

TH0
The Detection Gap — Why Mature SOCs Still Need Hunting
 TH1
The Hunt Cycle — A Structured Methodology
 TH2
Advanced KQL for Hunting
 TH3
ATT&CK Coverage Analysis: Prioritizing Your Hunt Backlog

Phase 2 — Hunt Campaigns

TH4
Hunting Identity Compromise
 TH5
Hunting Cloud Persistence Mechanisms
 TH6
Hunting Privilege Escalation and Abuse
 TH7
Hunting Email-Based Threats
 TH8
Hunting Data Exfiltration
 TH9
Hunting Endpoint Threats
 TH10
Hunting Lateral Movement
 TH11
Hunting Application and API Abuse
 TH12
Hunting Pre-Ransomware Activity
 TH13
Hunting Insider Threats

Phase 3 — Hunt Operations

TH14
Building a Hunt Program
 TH15
Hunt Documentation, Reporting, and Knowledge Management
 TH16
Scaling Hunts: Automation, Notebooks, and Continuous Hunting

Resources

Threat Hunting M365 — Operational Reference

Who this course is for

“I run saved queries from blog posts but I've never conducted a structured hunt.” You know KQL and you know your environment, but running someone else's queries isn't hunting. This course teaches the hypothesis-driven methodology: form the hypothesis, scope the data, write the queries, analyze results, and document findings — a repeatable process you apply to any threat.

“A threat advisory drops and I don't know how to check if we're affected.” Within an hour of reading a new advisory, you form the hypothesis, write the KQL, and know whether the technique is present in your environment. That's the capability this course builds.

“Our detection rules catch the known attacks. What about the ones they miss?” Detection rules are reactive — they catch what you already know about. Hunting is proactive: you look for the techniques your rules don't cover, find them (or confirm they're absent), and convert every finding into a new detection rule.

“I need to build a hunt program, not just run hunts.” Hunt team leads who need the organizational framework: sprint cadence, hypothesis backlog, ATT&CK coverage tracking, the monthly metrics report, and the program charter that justifies dedicated hunting time to leadership.

“I hunt but I don't document findings and nothing becomes a detection rule.” The hunt-to-detection pipeline is the force multiplier. Every hunt finding — positive or negative — gets documented. Positive findings become Sentinel analytics rules. Your detection library grows every sprint.

“I can hunt on endpoints but not in cloud or identity telemetry.” Ten campaigns across identity, email, endpoint, cloud apps, and exfiltration. You hunt where the attacker operates — not just where you're comfortable.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

You read the threat advisory, nod, and hope your detection rules cover it. You don't have a way to check.

You run KQL queries against SigninLogs when something looks suspicious, but it's ad-hoc — no hypothesis, no scope, no documentation of what you did or didn't find.

Hunt findings never become detection rules. You find something interesting, mention it in standup, and move on. Next month the same technique appears and nobody hunted for it again.

You can't tell leadership what your ATT&CK coverage looks like or which techniques remain as gaps.

After

A threat advisory drops and you have a hunt query running against your environment within the hour. You know if you're affected before the vendor publishes a template rule.

Every hunt follows the same methodology: hypothesis, scope, collect, analyze, conclude. Negative findings are documented too — they reduce organizational uncertainty and prove you looked.

Every hunt finding becomes a Sentinel analytics rule. Your detection library grows every sprint because hunting feeds the detection pipeline.

Your ATT&CK coverage tracker shows which techniques you hunt, which you detect, and which remain as documented gaps. The monthly report tells leadership exactly where you stand.

How the course works

Three phases build from methodology through execution to organizational capability:

Phase 1
Methodology

Hypothesis-driven hunting framework, KQL for hunting (distinct from KQL for detection), ATT&CK coverage assessment, baseline building. You learn how to hunt before you start hunting.

Phase 2
Ten Hunt Campaigns

Identity compromise, cloud persistence, privilege escalation, email threats, data exfiltration, endpoint threats, lateral movement, pre-ransomware, OAuth abuse, insider activity. Each campaign end-to-end.

Phase 3
Hunt Program Operations

Sprint cadence, hypothesis backlog, ATT&CK coverage tracking, hunt-to-detection pipeline, metrics, reporting. Building hunting into an organizational capability, not a side project.

What the content looks like

This is a real hunt query from Campaign 1. You're hunting for compromised identities by looking for accounts that authenticated from a new device AND a new country within the same 24-hour window — the pattern that distinguishes account takeover from legitimate travel.

KQL — From Campaign 1: Identity Compromise Hunt
// Hunt: accounts with first-seen device + first-seen country in 24h
let LookbackDays = 30d;
let BaselineWindow = 14d;
SigninLogs
| where TimeGenerated > ago(LookbackDays)
| where ResultType == 0
| summarize
    FirstSeenDevice = min(TimeGenerated),
    DeviceCount = dcount(DeviceDetail_dynamic.deviceId)
    by UserPrincipalName, DeviceDetail_dynamic.deviceId, Location
| where FirstSeenDevice > ago(1d)
| project UserPrincipalName, Location,
    FirstSeenDevice, DeviceCount

The query returns accounts to investigate — not alerts to triage. The module walks you through analyzing each result: is the new device a personal phone? Is the new country a VPN exit node? Is the timing consistent with the user's travel calendar? The hunt methodology teaches you to distinguish findings from noise and document both outcomes.

Lab Pack — Hypothesis-Driven Hunt Toolkit

Evidence (9 tables, 30-day window, ~4,000+ entries): SigninLogs, AuditLogs, OfficeActivity, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents, DeviceFileEvents, DeviceRegistryEvents — with multiple attack chains hidden in legitimate baseline noise.

Hunt query library (~70 KQL files across 10 domains): Identity, Persistence, Escalation, Email, Exfiltration, Endpoint, Lateral Movement, Application, Ransomware, Insider, and Advanced correlation queries.

10 structured hypotheses with ATT&CK mapping and success criteria. Answers deliberately withheld — you must hunt.

Program artifacts: Charter, sprint template, maturity model, metrics template, hunt report templates, ATT&CK coverage matrix.

Threat Hunting Lab Pack
~100+ files · 9 evidence tables · 70 hunt queries · 10 hypotheses · 30-day evidence window
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 2.0  |  Last updated: April 2026

April 2026 — v2.0: Lab pack built with ~70 hunt queries across 10 domains, 10 structured hypotheses, 9 evidence tables (30-day window), ATT&CK coverage matrix, hunt program artifacts, and step-by-step HTML walkthroughs.

2026 — v1.0: Course launch. 17 modules (TH0–TH16) across 3 phases. Hypothesis-driven methodology across all hunt-domain modules.

This course is actively maintained. Content is updated as the M365 threat landscape and hunting techniques evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.