Module 13: Threat Hunting — Find What Detections Miss
Don't wait for alerts. Go find the threats your detections missed.
You'll hunt for what the detections missed — hypothesis-driven searches for the attacker's quieter movements.
Lessons & Labs
Threat Hunting Fundamentals
PEAK framework, hypothesis-driven hunting, maturity model
Lab 13.1 — SIEM Hunt: Authentication Anomalies
Hunt for auth anomalies in Wazuh without alert triggers.
SIEM-Based Hunting with Wazuh
Lucene hunting queries, auth anomaly detection, log correlation
Lab 13.2 — SIEM Hunt: Log Source Gap Analysis
Audit log coverage, identify blind spots, recommend improvements.
Network Hunting with Suricata
Beaconing detection, DNS anomalies, traffic baselines
Lab 13.3 — Network Hunt: Beaconing Detection
Detect C2 beaconing patterns in EveBox network data.
Endpoint Hunting with VQL
Stacking, frequency analysis, fleet hunts, Hunt Manager
Lab 13.4 — Endpoint Hunt: Hypothesis Hunt
Intel-driven VQL hunt across the fleet for APT persistence.
Cross-Tool Correlation Hunting
The hunting triangle: SIEM + endpoint + network evidence
Lab 13.5 — Endpoint Hunt: Fleet Stacking
Baseline fleet with 5-category VQL stacking, find outliers.
Building a Hunt Program
Cadence, playbooks, hunt-to-detection pipeline, metrics
Lab 13.6 — Cross-Tool Campaign Hunt
Hunt a multi-stage intrusion across SIEM data. Capstone hunt.