I kid. I kid.….

But the reality is that documentation is a requirement. Otherwise, are you even really threat hunting? 🤔… really?

How are you going to recreate this?

Do you remember what you did?

Seriously?

Do you really want to do all that work again from scratch?

Nah, without documentation, you’ve just been goofing off.

:::awkward::::

So, let’s start with the basics. 🗒️

A guide to how to structure your ticket (or doc or slack message, or whatever you want to use to track your work). Every hunt should have some sort of documentation, ideally including something along these lines.

Background

⁃ This is where you write what inspired you to execute this hunt. Was it a piece of intel that outlined new techniques attackers are using? Or is this a new log source and this is an exploratory endeavor?

Goal

⁃ List a clear objective. Be as concise as possible. This is to prevent from going on a wild goose chase and ending up on a weeks-long hunt with nothing accomplished other than a disdain for hunting.

Process

⁃ Here is where you’ll note the technology leveraged, logs queried, and the actual queries aka syntax used.

References

⁃ Any sources you used along the way.

Findings

- Share what exactly you found. Did you meet your objective? Did you discover anything notable during the process? And it is perfectly okay if you didn’t uncover anything malicious. State that then!

That’s it.

That’s the essentials. Of course, you can add more and get fancy with tags & mappings, but this will get you started.

But why should you care? 🤔

– Your manager or lead will likely be impressed at your initiative and appreciate the organization of information. So, major win for your career development.

– Google has this saying “Automate [almost] everything”. With the details you just provided, you’ve laid some massive groundwork for automation, should your hunt prove to uncover interesting findings or gaps in current visibility.

– You’ve just made this hunt repeatable if someone else needs to follow behind and rerun it.

– Once you have a couple of hunts documented, congratulations. You’re ready for documentation level two: building a threat hunt catalog. 🤯

The reality is if you take some time to lay out some basic groundwork, you set yourself up with a strong foundation to build out a whole threat hunting program.

Wait what?

Hunt docs —> automation

Hunt docs —> hunt catalog

Hunt docs —> quantifiable metrics

==

REAL IMPACT

Not only did you just level up your organization’s security, but you’ve just demonstrated your ability to threat hunt and build out an ENTIRE PROGRAM.

…and it all started with some documentation

Hope you enjoyed this!

My name is Stacey, and I am a Security Operation Analyst and Threat Hunter at the Cloud Security Company, Wiz. I help protect our Wizards so they can do what they do best in the cloud. I’ve been working in cybersecurity for a little over 4 years, and prior to working in Corporate Security I worked in the SOC for a “bring your own tech” MDR.

Cybersecurity has been something that has transformed my life, and I’m forever appreciative of that fact. My end game goal is to make security approachable. Here’s to hoping this helped!