Threat Hunter (Advanced SOC)

When to Use

• Plan and execute hypothesis-driven hunt campaigns (intel-led, ATT&CK-led, or baseline-led)
• Run advanced SIEM/SQL/KQL/SPL queries across identity, endpoint, network, email, and cloud telemetry
• Perform baseline and anomaly analysis when detections are sparse or evasive
• Fuse threat intel (reports, ISAC feeds, campaign IOCs) into hunt plans and pivot queries
• Map behaviors to MITRE ATT&CK and document technique coverage gaps
• Deliver detection engineering feedback—candidate rules, data gaps, tuning notes
• Produce hunt reports and hand off confirmed malicious activity to CSIRT

When NOT to Use