Threat Hunt Book by Predefender

This notebook provides a comprehensive guide to Threat Hunting, structured in the form of a book. With years of experience in establishing SOC departments for Norwegian cybersecurity firms and actively working as a threat hunter, I’ve gathered valuable insights that I’m eager to share.

As I transition into managing a Cyber Security Operations Center (CSOC), my goal is to help SOC analysts become proficient threat hunters from day one.

Roger C.B. Johnsen


Have feedback?
I welcome your thoughts, suggestions, or corrections. Feel free to reach out via my preferred contact links .


About the Content

The content has been carefully refined with the help of tools like ChatGPT to improve grammar, clarity, and readability. It includes a curated collection of notes, articles, presentations, and personal reflections, all based on years of hands-on experience as a threat hunter.


Recent Changes and Additions

DateChange/Addition
Apr. 20, 2025Added threat hunting framework section and collect all hunting related articles beneath it
Apr. 13, 2025Added framework pages: Magma , TaHiTI and Peak
Mar. 29, 2025Added page on When to engage threat hunters
Mar. 21, 2025New cheatsheets based on hunts conducted this week, “Kusto Sentinel Tables ”, “Sysmon ”, “Windows Registry ” and “Power Shell
Mar. 16, 2025New section, “cheat sheets
Added support fort tags for easier grouping of articles. Testing out in “cheat sheets” section
Feb. 28, 2025Updated contact information. Added e-mail
Feb. 22, 2025- Overhaul of multiple pages to improve meaning
- Added “Hierarchy of Needs ” page
Feb. 15, 2025- Added “Siem Query Languages ” page
Jan. 11, 2025- Added “The Threathunter Persona ” page
Dec. 27, 2024- Added the “Release Plan ” page, accessible via the left site menu.
- Improved the left site menu by removing chapter/part prefixes.
Nov. 03, 2024Added a page on No Result Hunts .
Nov. 02, 2024Added a page on creating hypotheses .
Oct. 27, 2024- Added a page on T1105 from a recent threat hunt investigation.
- Added a page on planning a threat hunt .
- Added a page on intelligence resources .
Oct. 26, 2024- Added a page on starting a threat hunting program .
- Added pages on threat hunting deliveries .
Oct. 21, 2024Revised the introduction for Threat Hunting Deliveries.
Oct. 20, 2024Added a section on Threat Hunting Deliveries.
Oct. 19, 2024Added a section on conditional access for T1566 .
Oct. 15, 2024Added a tip on Windows Login.
Oct. 13, 2024Introduced a new section: Deliveries under Part 1, including the new page SITREP.
Oct. 12, 2024Introduced a new section: Mitre Field Notes, featuring the page T1566 - Phishing.
Oct. 11, 2024Added links to social platforms, X (formerly Twitter) and Mastodon.
Oct. 06, 2024- Quality assured the OpenSearch Python API ingester.
- Improved document formatting across the site.
- Added tips for Windows event log success and failure.
Sep. 30, 2024Added a “FAQ ” page.
Sep. 29, 2024Added a page on Understanding Data .

Threat Hunting Illustration Threat Hunting Illustration