# Threat Hunting Program Basics One-sentence definition: Proactive, hypothesis-driven searches for unknown threats using telemetry and intel. ## Key Facts - Hypotheses from ATT&CK, intel, prior incidents; define success/exit. - Data: EDR, auth, NetFlow, DNS, proxy, cloud logs. - Document queries, findings, and new detections; avoid “analysis drift.” - Measure hunts converted to detections and gaps closed. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish hunting (proactive) from alert-driven investigation. **Mnemonic:** “**Assume breach, prove or disprove**.” ## Mini Scenario Q: Hunt finds rare service creation—next? A: Investigate host, create detection rule, tune baseline. ## Revision Checklist - Two hypothesis sources. - Telemetry list. - Output artifacts. ## Related [[Use Case and Detection Engineering Lifecycle]] · [[MITRE ATT&CK Mapping for Testing]] · [[Identity Threat Detection and Response (ITDR)]] · [[Security Operations Center (SOC) Fundamentals]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[Domain 7 - Index]]