Threat Hunt Book by Predefender
This notebook provides a comprehensive guide to Threat Hunting, structured in the form of a book. With years of experience in establishing SOC departments for Norwegian cybersecurity firms and actively working as a threat hunter, I’ve gathered valuable insights that I’m eager to share.
As I transition into managing a Cyber Security Operations Center (CSOC), my goal is to help SOC analysts become proficient threat hunters from day one.
Roger C.B. Johnsen
Have feedback?
I welcome your thoughts, suggestions, or corrections. Feel free to reach out via my preferred contact links .
About the Content
The content has been carefully refined with the help of tools like ChatGPT to improve grammar, clarity, and readability. It includes a curated collection of notes, articles, presentations, and personal reflections, all based on years of hands-on experience as a threat hunter.
Recent Changes and Additions
| Date | Change/Addition |
|---|---|
| Apr. 20, 2025 | Added threat hunting framework section and collect all hunting related articles beneath it |
| Apr. 13, 2025 | Added framework pages: Magma , TaHiTI and Peak |
| Mar. 29, 2025 | Added page on When to engage threat hunters |
| Mar. 21, 2025 | New cheatsheets based on hunts conducted this week, “Kusto Sentinel Tables ”, “Sysmon ”, “Windows Registry ” and “Power Shell ” |
| Mar. 16, 2025 | New section, “cheat sheets ” |
| Added support fort tags for easier grouping of articles. Testing out in “cheat sheets” section | |
| Feb. 28, 2025 | Updated contact information. Added e-mail |
| Feb. 22, 2025 | - Overhaul of multiple pages to improve meaning |
| - Added “Hierarchy of Needs ” page | |
| Feb. 15, 2025 | - Added “Siem Query Languages ” page |
| Jan. 11, 2025 | - Added “The Threathunter Persona ” page |
| Dec. 27, 2024 | - Added the “Release Plan ” page, accessible via the left site menu. |
| - Improved the left site menu by removing chapter/part prefixes. | |
| Nov. 03, 2024 | Added a page on No Result Hunts . |
| Nov. 02, 2024 | Added a page on creating hypotheses . |
| Oct. 27, 2024 | - Added a page on T1105 from a recent threat hunt investigation. |
| - Added a page on planning a threat hunt . | |
| - Added a page on intelligence resources . | |
| Oct. 26, 2024 | - Added a page on starting a threat hunting program . |
| - Added pages on threat hunting deliveries . | |
| Oct. 21, 2024 | Revised the introduction for Threat Hunting Deliveries. |
| Oct. 20, 2024 | Added a section on Threat Hunting Deliveries. |
| Oct. 19, 2024 | Added a section on conditional access for T1566 . |
| Oct. 15, 2024 | Added a tip on Windows Login. |
| Oct. 13, 2024 | Introduced a new section: Deliveries under Part 1, including the new page SITREP. |
| Oct. 12, 2024 | Introduced a new section: Mitre Field Notes, featuring the page T1566 - Phishing. |
| Oct. 11, 2024 | Added links to social platforms, X (formerly Twitter) and Mastodon. |
| Oct. 06, 2024 | - Quality assured the OpenSearch Python API ingester. |
| - Improved document formatting across the site. | |
| - Added tips for Windows event log success and failure. | |
| Sep. 30, 2024 | Added a “FAQ ” page. |
| Sep. 29, 2024 | Added a page on Understanding Data . |
