Get the right information to the right people (the SOC team, management, or IT) in a format they can use. Part 2: Transitioning to Data-Driven Threat Hunting
Every hunt starts with a question. For example: "Are there any signs of lateral movement via PowerShell in my finance department?" You then use your data to prove or disprove this hypothesis. 2. Data Sources for the Hunt Get the right information to the right people
Process executions, registry changes, and network connections. You receive a report about a new ransomware
Mastery of KQL (Kusto Query Language) for Azure/Sentinel or Lucene for Elastic is vital for digging through petabytes of data. and unusual outbound connections.
You receive a report about a new ransomware strain targeting your industry. You extract the specific TTPs (e.g., using a specific WMI command for persistence) and immediately run a hunt across your environment to see if those TTPs are present.
API calls and identity management changes in AWS, Azure, or GCP. Part 3: Integrating Intelligence and Hunting
Flow data, DNS queries, and unusual outbound connections.