In this section
Module Summary
Module 1: The Hunt Cycle Methodology
Section 1.1 — Formulating Hunt Hypotheses. Every hunt begins with a testable hypothesis that names a threat, a technique, and a data source. Four properties make a hypothesis testable: it specifies a technique, identifies the telemetry, defines what suspicious looks like, and establishes the time window. Six hypothesis sources (threat intelligence, detection gap analysis, incident patterns, environmental change, peer sharing, and ATT&CK coverage mapping) ensure the backlog never runs dry. Three-dimension scoring (relevance, data availability, severity) prioritises the backlog so the highest-value hypotheses are hunted first.
Section 1.2 — Scoping the Hunt. Scoping prevents a hunt from expanding indefinitely. Four dimensions constrain every hunt: time window, entity boundary, data tables, and technique focus. Advanced Hunting enforces a 30-day maximum query window. The dual-window baseline technique uses a gap window to separate normal behavior from the hunting period, preventing pre-existing activity from contaminating results. Scoping decisions are documented before the first query runs.
Section 1.3 — Collection: Iterative Querying. Collection follows an iterative funnel that narrows millions of events to a manageable set of candidates. The four-step sequence (broad filter, enrich, correlate, extract) is demonstrated through a worked query chain that reduces 347,000 sign-in events to a single suspicious entity. Multi-table correlation connects identity, email, and endpoint telemetry. The materialize() operator prevents redundant computation across correlation steps.
Section 1.4 — Analysis: Separating Signal from Noise. Analysis evaluates each candidate entity against five enrichment dimensions: temporal pattern, geographic consistency, device profile, permission scope, and behavioural baseline. Per-entity baselining compares the hunting window against the gap window to surface deviations. Confidence scoring assigns each enrichment dimension a weight, with a 3-of-5 threshold distinguishing "investigate further" from "noise." The gap window prevents false confidence by ensuring the baseline excludes the hunting period.
Section 1.5 — Concluding the Hunt. Every hunt concludes with one of three documented outcomes: confirmed finding (escalated to IR), refuted hypothesis (detection rule deployed to automate future coverage), or inconclusive result (hypothesis refined and re-queued). The escalation package formats evidence for a warm handoff to the incident response team. Negative findings carry permanent value because each refuted hunt produces a detection rule that automates the check going forward.
Section 1.6 — Converting Hunts to Detection Rules. The six-step conversion workflow transforms a manual hunt query into an automated detection rule: extract the detection logic, map entities, analyze false positives, set the threshold and frequency, document the rule specification, and enter the tuning cycle. False positive analysis during hunting directly informs exclusion design. A 14-day tuning cycle validates rule performance before the rule is considered production-ready.
Section 1.7 — The Hunt Documentation Standard. Every hunt produces a structured record containing the hypothesis, scope, query chain, findings, conclusion, and detection rule reference. The hunt record serves three audiences: the analyst who revisits the work, the peer reviewer who validates the methodology, and leadership who evaluates the program. Documentation discipline prevents knowledge from existing only in the hunter's memory.
Section 1.8 — The Hunt-to-Detection Pipeline: Worked End-to-End. A complete worked example follows a single hypothesis through all six Hunt Cycle phases. The OAuth consent phishing hunt begins with a Storm-2372 intelligence report, scopes to 30 days of OAuth activity, runs a five-query funnel (347,000 to 1 entity), enriches across five dimensions, confirms a DocuHelper Pro application with 43 days of undetected mailbox access, and deploys two detection rules (illicit consent grant and device code flow). The example demonstrates the full pipeline that every campaign module applies to a different threat category.
Section 1.9 — Hunt Cadence and Scheduling. Three cadence models match team size: weekly (5+ analysts, 24-48 campaigns per year), biweekly (3-5 analysts, 12-24 campaigns), and monthly (2-3 analysts or solo, 12 campaigns). Hunting time must be protected from alert queue pressure through calendar blocks with backup analyst coverage. Rotational hunting builds skills across the team; dedicated hunting builds the deepest environmental knowledge. Hybrid cadence combines scheduled backlog hunts with ad hoc intelligence-driven sessions.
Section 1.10 — Hunt Quality Assurance and Metrics. Quality assurance operates at three review points: before hunting (scope review), before closing (record review), and before deploying (rule review). Solo hunter adaptations include structured self-review checklists, time-delayed review, and quarterly batch review. Four metrics demonstrate program value to leadership: detection coverage delta, dwell time compression, hunt completion rate, and findings per hunt.
What's next
Module 2 applies the Hunt Cycle methodology to your first campaign: identity-based attacks in Microsoft Entra ID. You have the method, the documentation standard, and the operational discipline. Module 2 gives you the target. Every technique, query, and detection rule from this point forward follows the six-phase cycle you learned here.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.