The Hunt Cycle — A Structured Methodology

1.1 What the Hunt Cycle methodology is

Most analysts who try hunting do it ad hoc. They open Advanced Hunting, write a query based on something they read in a threat report, scan the results, and move on. If the query returns nothing interesting, the hunt is done. If it returns something suspicious, they investigate — but without a framework for determining whether the result is a genuine finding or noise they do not yet understand.

Ad hoc hunting is better than no hunting. But it has three problems that prevent it from producing consistent, measurable value. It is not documented, so the organization cannot learn from it. It is not structured, so the analyst cannot distinguish between "technique not present" and "wrong query." And it does not convert findings into detection rules, so the same technique must be hunted again next month because no automated coverage was created.

The Hunt Cycle replaces ad hoc querying with a structured, repeatable, documented process. Six phases — Hypothesize, Scope, Collect, Analyze, Conclude, Convert — executed in sequence for every hunt. Every campaign module in this course follows them. Every hunt you run after completing this course follows them. The structure is what makes hunting an organizational capability rather than an individual skill.

1.2 What you will learn

Ten sections, each building one phase of the Hunt Cycle methodology.

Section 1.1 — Formulating Hunt Hypotheses. How to write a specific, testable prediction about attacker behavior. Four properties that make a hypothesis testable. Six hypothesis sources that keep the backlog populated. Three-dimension priority scoring (relevance, data availability, severity) that determines which hypothesis to hunt first.

Section 1.2 — Scoping the Hunt. Four scoping dimensions that constrain every hunt: time window, entity boundary, data tables, and technique focus. The Advanced Hunting 30-day limit. The dual-window baseline technique that prevents pre-existing activity from contaminating results. Documenting scope decisions before the first query runs.

Section 1.3 — Collection: Iterative Querying. The four-step query funnel (broad filter, enrich, correlate, extract) that narrows millions of events to a manageable candidate set. Multi-table correlation connecting identity, email, and endpoint telemetry. The materialize() operator for cross-step performance.

Section 1.4 — Analysis: Separating Signal from Noise. Five enrichment dimensions for evaluating candidate entities: temporal pattern, geographic consistency, device profile, permission scope, and behavioural baseline. Per-entity baselining against the gap window. Confidence scoring with a 3-of-5 threshold.

Section 1.5 — Concluding the Hunt. Three documented outcomes — confirmed finding (escalate), refuted hypothesis (deploy detection rule), inconclusive (refine and re-queue). The escalation package format for warm handoff to incident response. Why negative findings carry permanent value.

Section 1.6 — Converting Hunts to Detection Rules. The six-step conversion workflow from hunt query to production detection rule. Entity mapping, false positive analysis, threshold calibration, and the 14-day tuning cycle. How exclusions create exploitable detection gaps and how to document them safely.

Section 1.7 — The Hunt Documentation Standard. The structured hunt record template that serves three audiences: the reviewing analyst, the peer reviewer, and leadership. Documentation discipline that prevents knowledge from existing only in the hunter's memory.

Section 1.8 — The Hunt-to-Detection Pipeline: Worked End-to-End. A complete worked example following a single OAuth consent phishing hypothesis through all six Hunt Cycle phases. From intelligence report through five-query funnel, five-dimension enrichment, confirmed compromise (43-day dwell time), and two deployed detection rules. The pipeline that every campaign module applies.

Section 1.9 — Hunt Cadence and Scheduling. Three cadence models matched to team size. Protecting hunting time from alert queue pressure. Rotational versus dedicated hunting. Aligning cadence to threat intelligence for both consistency and responsiveness.

Section 1.10 — Hunt Quality Assurance and Metrics. Quality assurance through peer review at three checkpoints. Solo hunter adaptations. Four metrics that demonstrate hunting value to leadership: detection coverage delta, dwell time compression, hunt completion rate, and findings per hunt.

1.3 Why the Hunt Cycle matters for everything that follows

Modules 2 through 13 are campaign modules. Each targets a specific M365 threat category — identity attacks, OAuth abuse, email compromise, endpoint persistence, lateral movement. Every campaign follows the same Hunt Cycle. The hypothesis changes. The KQL queries change. The data sources change. The six-phase structure does not.

If you internalise the Hunt Cycle now, the campaign modules will feel like variations on a method you already own. If you skip this module or skim it, the campaign modules will feel like disconnected collections of queries without a unifying methodology. The method is the course's intellectual backbone.

The worked example in Section 1.8 is the bridge between methodology and practice. It demonstrates the complete pipeline end-to-end against a real threat category (OAuth consent phishing) so you can see how the six phases connect in continuous execution. The campaign modules that follow do the same thing at greater depth for each threat category.

1.4 How to get the best from this module

Work through the sections in order. Sections 1.1 through 1.6 build the six-phase Hunt Cycle sequentially — each section introduces one phase and depends on the previous. Section 1.7 adds the documentation standard that applies to every phase. Section 1.8 runs the complete cycle end-to-end so you can see the six phases in continuous execution. Section 1.9 adds the operational discipline that sustains the cycle over time.

Section 1.8 (the worked example) is the most important section. It connects everything from Sections 1.1 through 1.7 into a single continuous demonstration. If you have limited time, Sections 1.1 through 1.6 give you the method, and Section 1.8 gives you the demonstration. Sections 1.7 and 1.9 complete the operational picture.

Estimated total time: 4 to 5 hours. Three sections per session produces consistent progress.

1.5 Module structure

• Section 1.1 — Formulating Hunt Hypotheses
• Section 1.2 — Scoping the Hunt
• Section 1.3 — Collection: Iterative Querying
• Section 1.4 — Analysis: Separating Signal from Noise
• Section 1.5 — Concluding the Hunt
• Section 1.6 — Converting Hunts to Detection Rules
• Section 1.7 — The Hunt Documentation Standard
• Section 1.8 — The Hunt-to-Detection Pipeline: Worked End-to-End
• Section 1.9 — Hunt Cadence and Scheduling
• Section 1.10 — Hunt Quality Assurance and Metrics

Prerequisite: Module 0. The detection gap, the business case, the 90-day plan, and the data sources you will hunt against are all established there.

Go to Section 1.1 — Formulating Hunt Hypotheses to begin.