Performing a hunt
While there are no real set rules on how to run a hunt, there are some steps that you can take to focus your work: develop a premise, determine the data, plan the hunt, execute the investigation, respond, monitor, and improve.
As shown in the following diagram, this is a never-ending process. As new logs are added or new threats are recognized, this will be done over and over again. Even something as simple as checking for a malicious IP address will most likely be done many times and, based on previous findings, can be improved upon. You can find the logs that are most likely to contain the IP address and check those first, rather than blindly searching across all logs:
As you can see from the preceding diagram, there are various steps to performing an investigation. Each step is described in further detail next.
Develop premise
In this step, you need to determine what it is you are...