In this section
TH0.11 The Human Factor
Section 0.10 mapped the M365 data sources your hunts will query — identity tables, collaboration logs, and endpoint telemetry across three clusters. You know where the data lives and how long it's retained. But data availability doesn't determine hunting effectiveness. Two analysts with identical Sentinel access, identical KQL proficiency, and identical data retention will produce dramatically different results. The difference is cognitive — five skills that transform query output into operational intelligence. This section defines those skills and gives you a development path for each.
Scenario
Rachel Okafor needs to assign the first hunting rotation. Two candidates: Priya Sharma has 18 months on the SOC, handles alert triage daily, knows the environment's normal patterns from memory, but holds no hunting certification. A contractor, recently hired, holds GCTH and has hunted in three previous engagements — all in AWS environments, none in M365. Marcus Webb recommends Priya. Phil Greaves pushes back: "The contractor is certified. Priya isn't." Marcus needs to articulate exactly which skills matter for hunting and why certification alone doesn't predict effectiveness.
The gap between running queries and hunting
Every campaign module in this course provides the KQL. You can copy each query, run it, and get results. That's not hunting. Hunting is the cognitive work between the results and the decision — interpreting what the data shows, determining what it means in your specific environment, and judging whether to escalate, investigate further, or close.
This cognitive work requires five skills that don't appear in KQL documentation, can't be validated by multiple-choice exams, and develop only through deliberate practice. They're the reason two analysts with identical technical access produce different outcomes — and the reason Marcus recommends Priya over the certified contractor.
Skill 1 — Environmental knowledge
A new IP address in SigninLogs means nothing without context. Does it belong to the corporate VPN, a legitimate cloud proxy, or an attacker's relay? An inbox rule creation in CloudAppEvents means nothing without knowing whether the organization routinely creates rules via PowerShell for automated mailbox management. A process execution in DeviceProcessEvents means nothing without knowing whether that binary ships with a deployed application.
Environmental knowledge — deep familiarity with what normal looks like in your specific organization — is the skill that converts raw query results into contextual understanding. It can't be taught generically. It develops through operating in the environment: triaging alerts, investigating incidents, reading the data daily.
This is why experienced SOC analysts make effective hunters. They've spent months seeing the legitimate patterns. When a hunting query surfaces an anomaly, their accumulated understanding of "what normal looks like here" enables the judgment: this is unusual, or this is Tuesday for the finance team. Priya has 18 months of Northgate Engineering's patterns stored in working memory. The contractor has three AWS environments — none of which share NE's conditional access policies, application portfolio, or user behavior baseline.
The orientation queries in each campaign module serve a dual purpose. They test the hypothesis and they teach you what normal looks like in the data. Run them even when you think you already know. The data will surprise you.
Skill 2 — Lateral thinking
A detection rule matches a single pattern. Hunting follows connections. The AiTM session token replay appears in AADNonInteractiveUserSignInLogs — but the attacker's next step (inbox rule creation) appears in CloudAppEvents, and the phishing email that started it appears in EmailEvents. Following the attack chain across data sources requires lateral thinking: what would the attacker do next? Where would that activity appear? Which table records it?
Lateral thinking in hunting means asking "and then what?" at every stage. You found a suspicious sign-in from a new IP. And then what did the attacker do from that session? You found an inbox rule. And then what was the rule designed to hide? You found a consented OAuth application. And then what data did the application access?
Each "and then what?" generates a pivot query. The ability to generate those pivots — to anticipate the attacker's next move based on the current finding — transforms a single-table anomaly into a multi-source investigation. This skill maps directly to the three-cluster data source structure from Section 0.10. Every pivot crosses a cluster boundary: identity to collaboration, collaboration to endpoint, endpoint back to identity.
Skill 3 — Ambiguity tolerance
Most hunt results are ambiguous. The data shows something unusual but doesn't definitively prove compromise. A single anomalous sign-in could be an attacker or a user on vacation. A single inbox rule could be malicious or a user organizing their email. A single file download spike could be data exfiltration or a legitimate quarter-end reporting cycle.
Analysts accustomed to alert triage — where the detection rule has already made the initial judgment — may find hunting's ambiguity uncomfortable. There's no confidence score attached. No rule pre-filtered the results. The analyst works with raw data and must build the confidence assessment themselves through enrichment across multiple dimensions.
The skill is sitting with ambiguity long enough to enrich before making a judgment. Not jumping to "this is fine" (rationalization) or "this is definitely an attack" (confirmation bias), but methodically adding context until the evidence supports a conclusion. Section 0.9 addressed this as Myth 4 — hunting produces ambiguous results. The response is the same: ambiguity is the starting state, not the end state. The enrichment process resolves it.
Skill 4 — Investigative patience
A hunt is not a single query. It's five to fifteen queries, each informed by the last. The analyst who runs the first query, gets 500 results, and says "too noisy — the technique isn't present" has not hunted. They've glanced. The signal was in the 500 results — it required narrowing, enriching, and contextualizing to extract.
Investigative patience means running the next query when the first one returned noise. It means examining outliers instead of dismissing them. It means following a thread through three data sources before concluding it's legitimate. The difference between a two-hour hunt that finds nothing and a six-hour hunt that discovers a compromise is often the analyst's willingness to keep pulling on ambiguous threads.
This is where protected time matters. Section 0.8 identified protected time as a prerequisite because hunting without patience produces nothing. An analyst who knows they'll be pulled back to alert triage in 30 minutes won't commit to the iterative refinement that produces results.
Skill 5 — Negative documentation discipline
The natural tendency is to document what you found. The discipline is to document what you didn't find — and to treat the absence of findings as an output, not a failure.
Section 0.7 established the value of negative findings: each documented "no evidence found" result narrows the adversary's options and strengthens confidence in the areas already covered. The skill is doing it consistently — completing the hunt record even when the conclusion is negative. Writing the scope, the queries, the result counts, and the conclusion for every hunt. Not just the exciting ones. This discipline is what makes a hunting program auditable, measurable, and improvable.
Organizations that skip negative documentation accumulate a dangerous blind spot. They know where they've found threats but not where they've confirmed absence. Over time, the coverage map becomes fiction because nobody recorded which areas were actually searched. When a breach occurs in an area that was supposedly "covered," the post-incident review reveals that no hunt ever actually examined it — the coverage assumption was inherited from a single detection rule that may not have fired correctly in months.
// Measure lateral thinking: what percentage of closed incidents // involved investigation across multiple data sources? // Higher multi-source percentages suggest analysts who follow // connections rather than analyzing alerts in isolation SecurityIncident | where TimeGenerated > ago(180d) | where Status == "Closed" | extend AlertCount = toint( parse_json(tostring(AdditionalData)).alertsCount) | where AlertCount > 0 | summarize SingleSource = countif(AlertCount == 1), MultiSource = countif(AlertCount > 1), AvgAlertsPerIncident = avg(AlertCount) | extend MultiSourcePct = round(100.0 * MultiSource / (SingleSource + MultiSource), 1) // Below 30% multi-source: team investigates alerts in isolation // 30-60%: developing lateral investigation habits // Above 60%: strong cross-source correlation — ready for hunting
This query measures one observable proxy for lateral thinking. Teams where most incidents involved only a single alert source are teams that investigate in silos — the analyst checks the triggering table and closes. Teams where incidents routinely involve multiple alert sources demonstrate the cross-table investigation pattern that hunting demands.
Run this against your own Sentinel instance. The result tells you something about team readiness that no certification or interview question can reveal.
Marcus presents two candidates for Northgate Engineering's first hunting rotation. The selection criteria maps directly to the five skills:
Priya Sharma — 18 months on NE's SOC. Knows the environment's conditional access policies, normal sign-in patterns, and service account behavior from daily triage. Regularly pivots across data sources during incident investigation. Comfortable with ambiguous alert data. Completes investigation notes for every ticket including false positives. No hunting certification.
Contractor — GCTH certified. Hunted in three AWS environments using CloudTrail and GuardDuty. Strong KQL fundamentals. No exposure to M365 data sources, NE's conditional access baseline, or the organization's application portfolio.
Environmental knowledge: Priya — 18 months of NE-specific baselines vs. zero. Lateral thinking: Both — Priya demonstrates it in IR; contractor demonstrated it in previous engagements. Ambiguity tolerance: Priya — daily triage builds this; contractor's tolerance is untested in M365 context. Investigative patience: Both — observable but not yet measured. Documentation discipline: Priya — completes notes for every ticket including negatives.
Marcus's recommendation: Priya for the first rotation. The contractor's certification validates knowledge of hunting methodology — valuable, and NE should invest in training Priya toward that certification over time. But environmental knowledge is the hardest skill to acquire and the most critical for the first hunts. Priya starts with the environment. The contractor starts without it.
Developing these skills through practice
Certifications validate knowledge. They don't create hunting capability. The five skills develop through structured practice — which is exactly what the campaign modules in this course provide. Each campaign exercises all five skills simultaneously: the orientation queries build environmental knowledge, the pivot queries develop lateral thinking, the ambiguous results train tolerance, the multi-step refinement builds patience, and the hunt record template enforces documentation discipline.
The most effective accelerator beyond individual practice is peer review. When multiple analysts hunt, periodic review sessions — reading how someone else approached a hypothesis, what queries they ran, how they interpreted ambiguous results — develop judgment faster than solo repetition. One analyst's blind spot is another's strength. The review process transfers contextual knowledge that doesn't exist in documentation.
For Northgate Engineering, Marcus proposes a development sequence: Priya runs the first three campaigns with documented hunt records. The contractor reviews them, bringing methodology expertise from previous engagements. Both learn. Priya absorbs formal structure from the contractor's feedback. The contractor absorbs NE-specific environmental knowledge from Priya's hunt records. After three campaigns, both are more effective hunters than either would have been alone.
There's a practical development pattern worth adopting. After each campaign, the analyst writes a brief retrospective answering three questions: which of the five skills felt strongest during this hunt, which felt weakest, and what would I do differently next time? Over five campaigns, these retrospectives reveal the analyst's development trajectory more accurately than any external assessment. The analyst who consistently identifies documentation as their weakest area knows where to focus deliberate effort. The analyst who consistently names ambiguity tolerance has a different development path.
Team composition for sustained hunting
A single hunter operating in isolation plateaus. The five skills don't develop evenly in one person — most analysts are strong in two or three and developing in the others. Effective hunting programs pair complementary skill profiles rather than seeking unicorns who excel at all five.
The analyst with deep environmental knowledge but less patience benefits from working alongside the analyst who will follow threads for hours. The analyst with strong lateral thinking but weak documentation discipline benefits from a partner who records everything. Pair hunting — two analysts working the same campaign together — produces better results than either working alone because each compensates for the other's developing areas.
Rotation also matters. An analyst who hunts for three months then returns to alert triage for six months loses the investigative patience and documentation habits they built. Sustained skill development requires consistent hunting cadence — even one campaign per month maintains the cognitive patterns. Section 0.15 addresses this cadence in the 90-day implementation plan.
For organizations that can't dedicate multiple analysts to hunting, the campaign structure in this course compensates. Each campaign provides the hypothesis (reducing the demand on lateral thinking), structures the query sequence (building patience through defined steps), and includes the hunt record template (enforcing documentation). The structure scaffolds the developing skills while the analyst builds them through repetition. As the analyst completes more campaigns, they'll find themselves modifying the provided queries, generating their own pivot ideas, and extending the hunt beyond the structured steps. That's the skills developing.
Figure TH0.11 — Five cognitive hunting skills and their development mechanisms. Technical proficiency is the prerequisite. These skills determine what you do with the results.
Anti-pattern
Selecting hunters by certification rather than demonstrated cognitive skills. Certifications validate methodology knowledge — valuable for career development and useful as a training target. But a certified analyst without environmental knowledge in your specific M365 tenant will spend the first three months building the baseline that your experienced SOC analysts already carry. Select for the skills that are hardest to acquire (environmental knowledge, ambiguity tolerance). Train for the skills that formal programs teach well (methodology, documentation frameworks). The optimal path: assign your experienced SOC analysts to hunting, then invest in their certification as a development goal — not a prerequisite.
Principle
Hunting skills develop through practice, not study. Certifications validate. Experience builds. The campaign modules in this course are structured to exercise all five cognitive skills simultaneously — each hunt is a development opportunity, not just a detection opportunity. Treat them as both.
Section 0.12 takes these individual skills and places them within an organizational maturity framework — how hunting programs evolve from ad hoc analyst-driven efforts into repeatable, measurable operations. The maturity model shows where your program sits today and what it takes to reach the next level.