Advanced Hunting Campaigns

Mature hunting programs move beyond ad-hoc queries to systematic campaigns covering significant portions of the attack surface. This lesson covers campaign planning, statistical approaches, and integrating findings into defensive improvements.

Campaign Planning

Campaigns organize multiple related hunts:

Scope definition - What environment segments, time periods, and threat types does the campaign address?

Data requirements - What log sources, retention periods, and access do hunters need?

Timeline - How long does the campaign run? When do hunters report findings?

Success criteria - How is effectiveness measured? Findings discovered, coverage achieved, or hypotheses tested?

Campaign themes might align with MITRE ATT&CK tactics, with threat groups targeting your industry, or with recent vulnerability disclosures.

Statistical Approaches

Manual hunting scales poorly. Statistical methods extend reach:

Baseline comparison - Establish normal patterns, identify deviations. Rare events are not necessarily malicious, but they warrant investigation.

Clustering - Group similar behaviors to find outliers. Most systems behave similarly; unusual ones need attention.

Frequency analysis - Stack events by key fields and examine the extremes. The most common values represent normal; rare values might indicate threats.

Time series analysis - Traffic normally follows patterns. Deviations from expected patterns—unexpected volumes, unusual hours—warrant investigation.

Automation and Tools

Hunting notebooks document queries and analysis in reproducible formats. Jupyter notebooks with queries and visualization code enable sharing and iteration.

Scheduled queries run hunting searches automatically, surfacing results for analyst review.

ML-assisted hunting uses models to score events or identify anomalies, directing analyst attention to highest-value targets.

From Hunting to Detection

Hunting findings should improve detection:

New detection rules - Threats discovered through hunting become candidates for automated detection. Write Sigma rules, YARA rules, or platform-specific detections.

Improved visibility - Hunting gaps might reveal logging deficiencies. Add log sources to address blind spots discovered during hunts.

Updated hypotheses - Hunting builds institutional knowledge. Document what you learn for future hunters.

Measuring Program Effectiveness

Track hunting metrics:

• Hypotheses tested


• True positives discovered


• Mean time from hypothesis to discovery


• New detections created from hunting


• Coverage against threat frameworks

Improvement over time demonstrates program value and guides resource allocation.