TD Website

Threat Hunting

Threat hunting in the ThreatDefence platform is the proactive process of searching for malicious or suspicious activity across your environment. Unlike automated detections that trigger predefined alerts, hunting allows analysts to explore raw data, test hypotheses, and uncover threats that may bypass standard rules and signatures.

Purpose of Threat Hunting

The goal of threat hunting is to provide confidence in the security of your systems by:

  • Validating Security Posture – Prove or disprove whether adversaries are active in your environment.

  • Finding Hidden Threats – Detect stealthy attackers, dormant malware, or insider activity that automated systems may miss.

  • Supporting Incident Response – Gather evidence and timelines during investigations.

  • Continuous Assurance – Maintain ongoing visibility even in periods without high-severity alerts.

How Threat Hunting Works in ThreatDefence

  1. Form a Hypothesis Analysts begin by defining what to look for. Hypotheses can be based on:

    • Threat intelligence (e.g., new indicators of compromise).

    • Known attacker behaviors (mapped to MITRE ATT&CK).

    • Anomalies in user or system activity.

  2. Run Targeted Queries Queries are executed against telemetry from endpoints, networks, cloud services, and third-party integrations. Analysts can filter by users, IPs, ports, geolocation, or event types.

  3. Leverage AI and Automation ThreatDefence provides AI-assisted hunting to correlate signals across datasets, highlight outliers, and suggest next steps.

  4. Investigate Findings Analysts pivot into related events, review historical activity, and assess whether the behavior is benign, suspicious, or malicious.

  5. Take Action If malicious activity is confirmed:

    • Contain endpoints or users via agent isolation or account lockouts.

    • Escalate findings through SOC workflows.

    • Document results for audit and compliance.

What Analysts Look For

When conducting hunts, analysts typically focus on:

  • Indicators of Compromise (IOCs): IP addresses, domains, file hashes associated with known threats.

  • Suspicious Behaviors: Unusual login times, large data transfers, rare process executions.

  • Attack Techniques: Credential dumping, lateral movement, persistence mechanisms.

  • Insider Threats: Unauthorized data access or abnormal administrative activity.

Example Use Cases

  • Post-Incident Assurance – Confirm that no related compromises remain after a breach.

  • Audit Preparation – Validate that monitoring and logging controls are functioning correctly.

  • High-Risk Periods – Increase visibility during mergers, acquisitions, or targeted campaigns.

  • Routine Coverage – Schedule recurring hunts to ensure environments remain clean.

Accessing Hunting in the Platform

Threat hunting can be performed from the Hunt module in the Analyst Console:

  1. Log into the ThreatDefence Analyst Console.

  2. From the left-hand menu, select Hunt.

  3. Choose the relevant dataset (e.g., Endpoint, Network, Cloud).

  4. Use query filters or AI-assisted recommendations to begin your hunt.

  5. Expand results for context and export findings if needed.

Video Guides

For demonstrations of hunting workflows, refer to the following guides:

  • Endpoint Hunting:

  • Cloud Hunting:

  • Advanced Endpoint Hunting:

PreviousSearch QueriesNextCompliance

Last updated