The Hunting Loop

Hypothesis-driven hunting vs. IoC matching. The lifecycle of a hunt.

The Sqrrl Hunting Loop

Security Operations Centers (SOCs) are reactive: they wait for an alert. Threat Hunting is proactive: we assume the breach has already happened.

"If APT29 was in our network, they would likely use PowerShell for lateral movement." This is a falsifiable statement.

Query the SIEM/EDR for PowerShell execution logs (Event ID 4104) looking for long strings or encoded commands.

Identify clusters of anomalous activity. Is the admin account logging in from an unusual subnet?

If the hunt was successful (or even if not), create a detection rule so the SOC catches it next time.