Module 4: Operationalizing the Hunt
Turn hunting into a repeatable, measurable program. Document, automate, and prove value to leadership.
Lessons & Labs
Lesson 4.1 — Threat Report to Hunt Hypothesis
Multi-phase intelligence reading. Entity decomposition. Evidence prediction. Turning a published threat advisory into a structured hunt plan.
Lab 4.1 — Threat Report Dissection
Decompose a fictional CERT advisory on the NightCrypt ransomware campaign into MITRE-mapped, testable hunt hypotheses, prioritized query plans, and a Hunt Hypothesis Document (browser-only).
Lesson 4.2 — Documentation and Knowledge Management
Note-taking during hunts, organizing findings for reuse, building a team knowledge base. The Investigation Notebook System: fast notes during, slow review after.
Lab 4.2 — Hunt-to-Sigma Pipeline
Operationalize hunt findings: write Sigma rules for three patterns, convert with sigma-cli to OpenSearch/Wazuh, validate in Threat Hunting, and document tuning.
Lesson 4.3 — Metrics and Executive Reporting
Proving hunt value to leadership. Tracking coverage improvements, data source ROI, and detection gap closure over time.
Lesson 4.4 — Building a Hunt Program
Maturity levels from reactive (L0) to proactive (L4). Staffing models, cadence, automation boundaries, and the hunt-to-detect feedback loop.
Lab 4.3 — Capstone: Full Campaign Investigation
Conduct a comprehensive threat hunt across all log sources to identify three concurrent campaigns, build timelines, extract IOCs, and deliver an executive investigation summary.