Threat Hunt Book

Welcome to my notebook on Threat Hunting. This page serves as a compendium of my insights into Threat Hunting, presented in book format. After years of establishing SOC departments for several Norwegian cybersecurity firms while actively working as a threat hunter, I’ve chosen to share my notes and reflections on the craft of threat hunting. Now, as I transition into managing a Cyber Security Operations Center (CSOC), I believe it’s time to impart my perspective to empower SOC analysts to start as effective threat hunters from the outset. | |

– Roger C.B. Johnsen

Please report feedbacks, changes and whatnots through the projects issue tracker, available here !

Info

Content on this page has been run through ChatGPT and similar in order to fix grammar, sentences and general corrections on text. Text has also been run through same engines in order to convert my notes to text that makes sense. This site includes my notes, articles, presentations and thoughts throughout the years I have been working as a threat hunter.

Threat hunting illustration Threat hunting illustration

Future plans / roadmap

Here’s a glimpse into what I plan to include in my little threat hunting book in the near future:

TopicComment
DeliveriesWhat exactly can we as threat hunters deliver to customers and stake holders?
ReportsWhat kind of reports do and can we deliver
FrameworksExtend framework section to include other relevant frameworks
PlanningPlanning hunts, staffing etc.

Recent changes and additions

  • Nov. 03, 2024

    • Added page on No Result Hunts

  • Nov. 02, 2024

    • Added page on creating hypothesis

  • Oct. 27, 2024

    • Added page T1105 from a recent threat hunt investigation.
    • Added page on how to start a threat hunt.
    • Added page on intelligence resources.

  • Oct. 26, 2024

    • Added page on how to start a threat hunting program.
    • Added pages on threat hunting deliveries.

  • Oct. 21, 2024

    • Revised introduction text for threat hunting deliveries.

  • Oct. 20, 2024

    • Added section on threat hunting deliveries.

  • Oct. 19, 2024

    • Added section on conditional access on T1566.

  • Oct. 15, 2024

    • Added tip on top of page for Windows Login.

  • Oct. 13, 2024

    • New section: Deliveries under Part 1, with new page: Sitrep.

  • Oct. 12, 2024

    • New section: Mitre Field Notes, with new page: T1566 - Phishing.

  • Oct. 11, 2024

    • Added links to X and Mastodon.

  • Oct. 06, 2024

    • QA on OpenSearch Python API ingester and general document formatting site-wide.
    • Added tips and tricks for Windows event logon success and fail.

  • Sep. 30, 2024

    • Added “FAQ” page.

  • Sep. 29, 2024

    • Added “Understanding Data” page.