Concluding the Hunt

Three possible outcomes

Every hunt ends in one of three states. The conclusion must be explicit, written down, and stored where the organization can reference it. "We looked and didn't find anything" is not a conclusion. "We examined 810 user accounts across 30 days of SigninLogs, identified 28 with baseline deviations, enriched 3 with correlated MFA signals, confirmed 1 compromise, and documented 27 legitimate explanations" is a conclusion. The specificity is what makes it useful: six months later, someone reviewing the hunt record knows exactly what was examined and what was not.

Three hunt outcomes. Confirmed and refuted hunts both produce detection rules. Inconclusive hunts produce refined hypotheses. Every outcome produces documentation.

Outcome 1: Hypothesis confirmed

Your analysis produced a high-confidence finding. Three or more enrichment dimensions corroborate each other, and the evidence supports the conclusion that the technique described in the hypothesis has occurred in your environment.

Escalate immediately. Do not wait for the hunt to finish. If query 3 of 8 produces a high-confidence finding, escalate while the remaining queries continue. Every hour between discovery and containment is an hour the attacker continues to operate. The escalation is the highest-value hunting output: a compromise discovered before any detection rule fired.

Escalation needs enough information for the IR analyst to take immediate action without re-running the hunt:

Warm handoff versus cold handoff. A warm handoff means the hunter briefs the IR analyst directly, walks through the evidence, answers questions, and transfers the analytical context that the documentation cannot fully capture. A cold handoff means the hunter submits the escalation package and the IR analyst picks it up from the queue. Warm handoffs produce faster containment because the IR analyst starts with full context. Always prefer warm handoff for high-severity findings. At NE, Rachel Okafor established a protocol: any finding scored at "high confidence" gets a warm handoff via a 15-minute Teams call between the hunter and the on-call IR analyst. The hunter shares their screen, walks through the query chain, explains the enrichment reasoning, and transfers the Sentinel bookmarks. The IR analyst asks clarifying questions ("did you check whether this IP appears in our VPN egress list?" or "was the inbox rule creation via Graph API or PowerShell?"). Warm handoffs typically save the IR analyst 30 to 60 minutes of re-analysis because they inherit the hunter's contextual understanding of the data.

Cold handoffs are acceptable for medium-confidence findings or when the IR analyst is unavailable. The escalation package must be detailed enough that the analyst can act without speaking to the hunter. Include the exact KQL queries used (not descriptions of queries), the result counts at each step, and the specific evidence rows that drove the conclusion.

After escalation, the hunter maintains the queries and bookmarks. The IR investigation may need to re-run hunt queries with different parameters, and the hunter's expertise with the data accelerates the investigation. Do not close the hunt record until IR confirms the investigation is complete. Hunt records should reference the IR case number, creating a bidirectional link between hunting and incident response.

After the IR investigation concludes, the confirmed finding also feeds the detection conversion step (Section 1.6). Your query chain that discovered the compromise becomes a detection rule. This is the permanent value of a confirmed hunt: the technique was found proactively once, and the resulting rule ensures it will be detected automatically in the future. Without conversion, you would need to re-hunt the same technique next month. With conversion, the automated rule handles it while you move to the next hypothesis in the backlog.

Severity for the Sentinel analytics rule created from a confirmed finding should match the severity of the technique. AiTM session hijacking with data exfiltration warrants a High-severity rule. Suspicious OAuth consent without post-consent evidence of abuse warrants a Medium. The severity determines how quickly the SOC responds when the rule fires, and overclassifying severity erodes trust in automated alerts the same way false escalations erode trust in hunt findings.

Outcome 2: Hypothesis refuted

You examined the full scope and found no evidence of the technique. This is not a failure. A documented negative finding has operational value: it proves you looked, proves you did not find evidence, and establishes a baseline for future comparisons.

Refuted finding documentation records what you searched, how thoroughly, and what you concluded:

Refuted hypotheses are sometimes more valuable than confirmed ones because they produce systematic coverage. A confirmed finding catches one compromise. A detection rule created from a refuted hunt monitors for that technique continuously across the entire tenant, potentially catching dozens of future attempts.

Negative finding documentation serves three purposes. It demonstrates coverage to leadership ("we examined 100% of OAuth consents in the window"). It identifies blind spots for remediation ("enable AADServicePrincipalSignInLogs"). And it feeds the detection conversion step (Section 1.6): the query that found nothing today becomes the detection rule that monitors continuously.

Outcome 3: Hypothesis inconclusive

Evidence is ambiguous. You found indicators that could represent compromise but could also have legitimate explanations, and the available enrichment data is insufficient to resolve the ambiguity. This happens when a critical data source is missing, when the user cannot be reached for context verification, or when the technique produces signals that overlap heavily with legitimate behavior.

An inconclusive hunt is not a failure. It is a documented gap that feeds future hunting. Record what you found, what you could not resolve, and what would be needed to resolve it. Refine the hypothesis and re-queue it in the backlog with a higher priority if the unresolved indicators were concerning.

An inconclusive outcome requires discipline. The temptation is to escalate "just in case" (which produces false positives and erodes IR trust) or to close as refuted "because we did not find enough" (which buries a potential compromise). Neither is acceptable. The decision threshold matters: if the indicators are concerning enough that you would lose sleep over closing the hunt, escalate with an explicit confidence caveat ("medium confidence, requires additional data for confirmation"). If the indicators are weak enough that further investigation would be speculative, close as inconclusive with the data gap documented. Neither path requires certainty. Both require honest documentation.

Document the ambiguity precisely. Identify the specific gap that prevented resolution. Return to the hypothesis when the gap is addressed.

For example, a hunt for OAuth consent abuse found 3 applications with suspicious permission scopes (Mail.ReadWrite granted to an app with an unfamiliar publisher name). Enrichment required checking whether the application was used after consent: did it actually read email, or was the consent granted but never exercised? This check requires AADServicePrincipalSignInLogs, which NE does not ingest. Without post-consent sign-in data, the hunter cannot determine whether the consent was malicious (attacker consented and used the app) or benign (an employee consented to a legitimate app they never configured). The hunt is inconclusive. The documentation records: "3 suspicious consents identified. Unable to verify post-consent activity due to missing data source. Recommendation: enable AADServicePrincipalSignInLogs and re-hunt in 30 days." The hypothesis returns to the backlog with a dependency flag.

Maintaining hunt continuity during IR

When a confirmed finding triggers an IR investigation, the hunt and the investigation run in parallel for a period. Meanwhile, the hunter continues examining the remaining scope (the other 24 users in the population). The IR analyst investigates the confirmed compromised account. Their work intersects when the hunter finds additional compromised accounts or when the IR analyst needs the hunter's query expertise.

Establish clear ownership boundaries. The hunter owns the remaining hunt scope. The IR analyst owns the compromised account investigation. Findings flow from hunt to IR (new compromised accounts discovered during remaining scope analysis). Context flows from IR to hunt (the IR investigation reveals a persistence mechanism the hunter should check across the population). A 15-minute daily sync between hunter and IR analyst during the overlap period prevents duplicated effort and ensures both workstreams benefit from each other's findings.

This parallel operation is one of the strongest arguments for a structured hunt methodology. Ad-hoc hunters tend to abandon the hunt entirely once they find something interesting and pivot to investigation. The structured approach maintains both: the escalation triggers IR while the hunt continues examining the remaining population. NE discovered this value directly when a second compromised account was found in the remaining 24 users three days after the first escalation. The second account used different attacker infrastructure but the same technique, indicating a broader campaign targeting NE rather than a single opportunistic compromise.