Most threat hunting programs die in week three. Not because the team lacks skill — because they have no process. They run the same queries they ran last month, call it a hunt, and file a report that says "nothing found."

That's not hunting. That's reactive monitoring with extra steps.

A real threat hunting process starts with a hypothesis, follows a defined execution path, and ends with a detection engineering output whether the hunt finds something or not. Here's the full framework I've used across financial institution SOCs running CrowdStrike, Sentinel, and Splunk.

What this covers

Hypothesis generation → hunt execution → evidence collection → detection output. Plus working queries for CrowdStrike LogScale, Microsoft Sentinel KQL, and Splunk SPL you can run in your environment today.

Why Most Hunts Fail Before They Start

The failure mode is almost always the same: a senior analyst picks a topic, pulls some logs, looks around for 30 minutes, and concludes there's nothing to find. No documented hypothesis. No defined scope. No output beyond "checked, looks clean."

Three problems with that approach:

The fix is structure. Not bureaucracy — structure. A defined input (hypothesis), a defined process (execution phases), and a defined output (detection or documented gap).

Phase 1: Hypothesis Generation

Every hunt starts with a written hypothesis. Not a topic. A hypothesis.

Topic: "Let's hunt for lateral movement."

Hypothesis: "Threat actors who have compromised a workstation are using pass-the-hash to authenticate to internal servers using NTLM rather than Kerberos, which should be visible as 4624 Type 3 logons with NtLmSsp authentication package from workstation-class source IPs to server-class destination IPs."

The difference matters. The topic gives you no scope and no success criteria. The hypothesis tells you exactly what data to pull, what to look for, and what it means if you don't find it.

Phase 1 output
Written Hypothesis Card
Hypothesis: [one sentence, specific and falsifiable]

MITRE ATT&CK mapping: [technique ID and name]

Expected data sources: [log sources required]

Success criteria: [what "found" and "not found" look like]

Time scope: [last 30/60/90 days]

Risk rating: [how bad if this is happening and we missed it]

Where to source hypotheses

Four reliable sources that actually produce useful hunts:

Weekly Intelligence Pack
A new hunt hypothesis every Tuesday

Every issue includes a fully written hypothesis, the working query behind it, and a case study showing what the evidence looks like when you find something. Built from 10 years of real SOC operations.

Join — $14.99/mo See a Sample Issue
30-day money back · founding member pricing locked for life

Phase 2: Scoping and Data Validation

Before you run a single query, validate that the data you need actually exists and is complete. This sounds obvious. It's skipped constantly.

A hunt for NTLM pass-the-hash requires 4624 events with full authentication package fields. If your SIEM is ingesting Security logs but stripping the extended fields for cost reasons, your hunt will come back clean not because there's nothing there, but because you're looking at incomplete data. That's a false negative, and it's worse than not hunting at all because it creates a false sense of coverage.

Data validation queries

Sentinel KQL — Validate 4624 field completeness
// Check that auth package field is populated
SecurityEvent
| where EventID == 4624
| where TimeGenerated > ago(7d)
| summarize
    TotalEvents = count(),
    WithAuthPackage = countif(isnotempty(AuthenticationPackageName)),
    NTLMEvents = countif(AuthenticationPackageName == "NTLM")
| extend FieldCompleteness = round(todouble(WithAuthPackage) / TotalEvents * 100, 1)
Field completeness rule

If the field you need is populated in less than 85% of events, document it as a data gap and stop. A partial hunt is worse than no hunt — it creates false confidence in your coverage.

Phase 3: Hunt Execution

Execution follows a consistent pattern regardless of the technique being hunted:

  1. Pull the broad population — all instances of the behavior, legitimate and suspicious
  2. Baseline the legitimate — identify the known-good patterns (scheduled tasks, admin tools, approved processes)
  3. Subtract the baseline — what remains after removing known-good is your anomaly population
  4. Prioritize the anomaly population — by rarity, by target sensitivity, by time clustering
  5. Investigate the top items — manual review, correlated context, timeline reconstruction

CrowdStrike LogScale — Pass-the-Hash hunt query

CrowdStrike LogScale — NTLM lateral movement hunt
// Hunt: NTLM auth from workstation to server-class hosts
#event_simpleName=UserLogon
LogonType=3
AuthenticationPackage="NTLM"
| regex("^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)", field=RemoteIP)
| groupBy([UserName RemoteIP ComputerName], function=count())
| rename(field=_count, as=AuthCount)
| sort(AuthCount, order=desc)
| tail(50)

Splunk SPL — Pass-the-Hash hunt query

Splunk SPL — NTLM lateral movement hunt
index=win_* sourcetype="WinEventLog:Security"
EventCode=4624 Logon_Type=3
Authentication_Package=NTLM
earliest=-30d latest=now
| stats count values(Source_Network_Address) as SourceIPs
    values(Workstation_Name) as WorkstationNames
    by Account_Name ComputerName
| where count > 5
| sort - count

Phase 4: Evidence Documentation

Every hunt — whether it finds something or not — needs a documented evidence record. This is the part most teams skip, and it's where most of the value gets lost.

Phase 4 output
Hunt Evidence Record
Hypothesis tested: [verbatim from Phase 1]

Data sources confirmed: [log sources, time range, field completeness]

Query used: [exact query, version-controlled]

Population size: [total events reviewed]

Anomaly population: [count after baselining]

Findings: [what was found, or explicit "no evidence of technique observed"]

Next actions: [ticket opened / detection created / gap documented]

Hunt duration: [hours spent — helps capacity planning]

Phase 5: Detection Engineering Output

This is the phase that turns hunting from a cost center into a force multiplier. Every completed hunt should produce one of three outputs:

The key rule

A hunt that produces no detection and no documented gap is an incomplete hunt, not a completed one. The evidence record should never close without one of these three outputs.

Building a Hunt Calendar

Once the process is in place, the next step is a quarterly hunt calendar so coverage is deliberate rather than opportunistic. A working format:

Coverage tracking sounds bureaucratic until leadership asks "are we covered against the technique used in the recent sector breach" and you can answer with a specific date and a link to the hunt record instead of "we think so."

Common Mistakes That Kill Hunt Programs

IR Runbook Bundle · $49
The Threat Hunting Playbook is inside

The IR Runbook Bundle includes a full Threat Hunting Playbook with hypothesis templates, evidence record format, detection output checklist, and the MITRE coverage tracking matrix. Buy once, keep forever.

Get the IR Bundle — $49 Or Join the Intel Pack — $14.99/mo
30-day money back on everything · instant download