The Detection Gap — Why Mature SOCs Still Need Hunting

0.1 — What is threat hunting

Threat hunting is the practice of proactively searching through your environment for evidence of malicious activity that your detection rules missed. Not alert triage. Not incident response. Not detection engineering. Hunting operates in the space between what your analytics rules catch and what is actually happening in your logs.

Every M365 environment has this gap. Mandiant's M-Trends 2026 report, drawn from over 500,000 hours of incident response investigations, found that global median dwell time rose to 14 days in 2025, and that cyber espionage campaigns averaged 122 days of undetected access, with some persisting over a year. Those are organizations with SIEMs, with endpoint detection, with security operations teams. The attackers were present and active in their environment for weeks or months, and nothing fired.

The reason is structural, not operational. A 2025 industry analysis found that enterprise SIEMs have detection coverage for just 21% of adversary techniques defined in the MITRE ATT&CK framework. When narrowed to the ten most frequently used techniques in observed attacks, organizations only covered four. The gap exists because there are more techniques than any team can write rules for, because attackers adapt faster than rule libraries update, and because some behaviors are too context-dependent to model as static detection logic.

Hunting addresses the gap directly. A threat hunter forms a hypothesis about attacker behavior, derived from threat intelligence, ATT&CK coverage gaps, or prior incident findings, and searches the available telemetry for evidence. Each hunt produces one of three outcomes: evidence of compromise, evidence of misconfiguration, or no evidence that reduces uncertainty. Every hunt that produces a true positive generates a detection rule that catches the same behavior automatically in future, the hunt-to-detection pipeline that permanently expands your SOC's coverage with every cycle.

This course teaches you to do that systematically across Microsoft 365, Entra ID, Defender XDR, and Sentinel. You will form hypotheses, scope hunts, write iterative KQL queries against production telemetry, analyze results, document findings, and convert what you find into analytics rules that your SOC inherits.

0.2 — What you will learn

Eight sections build the complete business case for hunting, the data sources that make it possible, and the organizational framework that makes it sustainable.

Section 0.1 — The Detection Gap. Coverage ratio quantifies which ATT&CK techniques have detection rules. Dwell time quantifies what the gap costs. Both metrics establish the baseline that the hunting program will improve.

Section 0.2 — Why Detection Engineering Cannot Close the Gap. Five structural limitations prevent detection rules from covering the full threat surface. These are architectural constraints, not staffing problems.

Section 0.3 — The M365 Threat Landscape. AiTM session hijacking, living-off-the-cloud, OAuth persistence, and hybrid identity exploitation operate inside the detection gap using legitimate credentials and standard operations.

Section 0.4 — Where Hunting Fits. The operational boundaries between hunting, incident response, and detection engineering, the six handoffs that connect them, and the common objections that prevent organizations from starting.

Section 0.5 — The Business Case for Hunting. The hunt-to-detection pipeline as compounding investment, the cost model, and three communication formats that secure leadership approval.

Section 0.6 — Organizational Readiness and Data Sources. Five prerequisites for a sustainable program and the M365 data source map that defines which tables each hunt campaign queries.

Section 0.7 — The Hunter's Skillset and Maturity. Five cognitive skills that separate effective hunters from analysts running queries, and the Hunting Maturity Model that measures program progression.

Section 0.8 — Your First 90 Days. Seven metrics, a four-phase 90-day roadmap, and the Day 90 checkpoint that proves the investment is working.

0.3 — What makes Microsoft 365 ideal for threat hunting

M365 with E5 licensing and Sentinel provides the telemetry density that hunting requires. The data exists. The question is whether anyone is looking at it systematically.

Unified identity and access telemetry. Entra ID records every authentication event, every conditional access evaluation, every directory change, every application consent grant. SigninLogs and AuditLogs capture the identity layer at a granularity that on-premises Active Directory logging never achieved. When an attacker compromises a credential and moves through your environment, the evidence trail exists in these tables.

Cross-workload visibility. Defender XDR Advanced Hunting queries 33 tables spanning identity, email, endpoint, and cloud application activity in a single query engine. An attacker who compromises a mailbox via AiTM phishing, establishes persistence via an inbox rule, moves laterally via OAuth consent phishing, and exfiltrates data via SharePoint produces records across EmailEvents, CloudAppEvents, SigninLogs, and AuditLogs. Hunting queries correlate across these tables without data normalization or manual joins between separate tools.

Behavioral telemetry depth. DeviceProcessEvents records process creation with full command lines, parent-child relationships, and file hashes. DeviceNetworkEvents captures outbound connections with destination IPs and ports. This endpoint telemetry, combined with the identity and cloud telemetry, gives hunters the multi-layer visibility required to detect attacker tradecraft that evades single-layer detection.

Native KQL query engine. KQL is the query language across Sentinel and Defender XDR Advanced Hunting. A single language, a single syntax, querying across every relevant data source. Statistical operators like make-series, series_decompose_anomalies, and percentile enable behavioral baselining directly in the hunting workflow.

30-day Advanced Hunting retention. Defender XDR retains raw telemetry for 30 days in Advanced Hunting. Sentinel extends this with configurable retention (90 days default, extendable). The hunt campaigns in this course are designed around these retention windows.

0.4 — How to get the best from this module

Module 0 is the business case, organizational readiness, and landscape module. It does not involve hands-on KQL. The technical work begins in Module 1 (Hunt Cycle methodology) and intensifies through the campaign modules.

Read the sections in order. Sections 0.1 through 0.2 establish the detection gap with data and structural analysis. Section 0.3 maps the M365 threat landscape. Sections 0.4 through 0.5 position hunting operationally and build the business case. Sections 0.6 through 0.8 assess readiness, skills, and the 90-day plan.

Estimated time: 3 to 4 hours for the full module. You can complete it in a single session or spread across a week.

If you already have leadership approval and an operating hunting program, Section 0.1 (the detection gap measurement) still provides the coverage framework you will use throughout the course. Section 0.6 (readiness and data sources) provides the self-assessment that calibrates your starting point.

0.5 — Module structure

• Section 0.1 — The Detection Gap
• Section 0.2 — Why Detection Engineering Cannot Close the Gap
• Section 0.3 — The M365 Threat Landscape
• Section 0.4 — Where Hunting Fits
• Section 0.5 — The Business Case for Hunting
• Section 0.6 — Organizational Readiness and Data Sources
• Section 0.7 — The Hunter's Skillset and Maturity
• Section 0.8 — Your First 90 Days
• Module Summary

No KQL prerequisite for this module. The business case, readiness assessment, and organizational framework are foundational regardless of technical proficiency.

Go to Section 0.1 — The Detection Gap to begin. It quantifies the gap between "we have analytics rules" and "we can detect this attack," the number that frames every hunt campaign in the course.