THREAT DETECTION & RESPONSE

Overview

I created and executed a repeatable threat hunting strategy focused on hypotheses, baselines, and targeted searches. The approach turns passive monitoring into proactive discovery across endpoints and networks.
(How to Develop a Threat Hunting Strategy)

Objectives

Define hunt objectives and scope tied to real risks
Establish baselines for normal behavior
Form hypotheses and test them with SIEM, EDR, and network data
Remediate and refine based on outcomes

Prerequisites

Working SIEM dashboards and searchable logs
Access to endpoint telemetry or EDR where available
Familiarity with query languages and network analysis

Tools and technologies

SIEM searches and visualizations
EDR telemetry and process analytics
Network analysis with Zeek or packet capture tools

Implementation

1. Objectives and scope

Prioritized APT-like persistence, insider misuse, and unknown egress paths.
Scoped hunts to critical servers, workstations, and edge devices.

2. Baseline

Collected normal patterns for login times, process trees, and outbound traffic.
Documented metrics to help separate noise from signal.

3. Hypotheses

Example: repeated failed logins followed by a new successful login from the same source Internet Protocol may indicate credential stuffing.
Example: rare process spawning a network tool on a server may indicate hands on keyboard.

4. Tools and queries

SIEM for cross-source searches and timelines.
EDR to pivot on processes, hashes, and parent child relationships.
Network tools such as Zeek or packet captures for uncommon destinations.

5. Hunts and investigations

Ran targeted searches, tagged anomalies, and captured evidence.
Promoted confirmed findings to incidents with containment steps.

6. Remediation and hardening

Enforced stronger authentication and lockout policies.
Blocked suspicious destinations and tightened least privilege.

7. Review and iterate

Measured results, refined hypotheses, and scheduled quarterly hunts.
Automated recurring queries as saved searches and alerts.

Outcomes

Earlier detection of risky behavior that never triggered a standard alert
Institutionalized hunts with clear playbooks and metrics
Continuous improvement loop for detections and controls

Skills demonstrated

Hypothesis driven analysis and anomaly detection
Cross-tool pivoting across SIEM, EDR, and network data
Remediation planning and stakeholder communication

← SIEM Command

Auto-Responder →

Google Sites

Report abuse