This chapter covers threat intelligence and threat hunting, two critical pillars of proactive security operations. For the CS0-003 exam, these topics appear in approximately 15-20% of questions within the Security Operations domain (Objective 1.1). Understanding how to collect, analyze, and apply threat intelligence to drive structured hunting missions is essential for identifying advanced threats that evade automated defenses. This chapter provides the deep technical knowledge needed to answer scenario-based questions on intelligence lifecycles, hunting methodologies, and indicator management.
Jump to a section
Imagine a city security team responsible for stopping burglaries. They have patrols (security tools) watching for suspicious activity, but they need to know what to look for. A centralized weather service (threat intelligence platform) collects data from thousands of sources: satellites (global threat feeds), ground stations (ISACs, vendor reports), and historical patterns (past incidents). The service processes this data into forecasts: 'Today, there is a high probability of smash-and-grab burglaries using crowbars in the downtown area between 2-4 AM, based on recent reports from three neighboring cities.' The security team (hunters) uses this forecast to adjust patrols: they assign extra guards to downtown, watch for crowbars on CCTV, and check doors for tampering. They also proactively search for signs of reconnaissance (threat hunting) by looking for suspicious vehicles casing the area. Without the weather service, they would react blindly to each alarm. With it, they anticipate and prevent. The service provides structured data (STIX/TAXII) like bulletins, and the team uses it to create signatures (Snort rules, YARA) that detect the specific crowbar technique. If the forecast is wrong (bad intelligence), they waste resources. If they ignore the forecast, they miss the attack. This is exactly how threat intelligence feeds into threat hunting: raw data is processed into actionable context, enabling proactive detection and response.
What is Threat Intelligence and Why Does It Exist?
Threat intelligence is evidence-based knowledge about existing or emerging threats to assets, including context, mechanisms, indicators, implications, and actionable advice. It exists to transform raw data into decision-ready information that reduces uncertainty and enables proactive defense. Without threat intelligence, security teams operate reactively, relying on signature-based detection that only catches known threats after they have been seen elsewhere. Intelligence provides the 'why' and 'what next' behind indicators, enabling prioritization and customized defenses.
The Intelligence Lifecycle
The standard threat intelligence lifecycle consists of six phases: - Requirements: Define what intelligence is needed (e.g., 'Are APT groups targeting our industry with spear-phishing?'). - Collection: Gather raw data from sources like open-source feeds, dark web forums, ISACs, vendor reports, and internal telemetry. - Processing: Convert raw data into usable formats (e.g., normalize IOCs, translate foreign language posts). - Analysis: Apply human reasoning to identify patterns, attribution, and implications. This produces finished intelligence. - Dissemination: Deliver intelligence to consumers (SOC analysts, hunters, executives) in appropriate formats (e.g., STIX/TAXII feeds, email bulletins). - Feedback: Consumers provide feedback on relevance and accuracy, refining future requirements.
Threat Intelligence Classifications
Strategic: High-level intelligence for executives. Answers 'why' and 'so what'. Example: 'Nation-state actors are targeting energy sectors with supply chain attacks.'
Operational: Tactical intelligence about specific campaigns. Answers 'how'. Example: 'APT29 uses DLL sideloading via Microsoft Office documents.'
Tactical: Technical indicators (IOCs). Answers 'what'. Example: MD5 hashes, IP addresses, domain names.
Technical: Detailed technical data like malware samples, YARA rules, Snort signatures.
Indicators of Compromise (IOCs) vs. Indicators of Attack (IOAs)
IOCs are forensic evidence that a breach has occurred (e.g., a file hash of a known malware). IOAs are real-time behaviors that suggest an attack is in progress (e.g., a process spawning cmd.exe with unusual arguments). The exam emphasizes that IOAs are more proactive because they detect attacks before data exfiltration, while IOCs confirm a breach after the fact.
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII)
STIX is a standardized language (XML/JSON) for describing threat intelligence, including observables, indicators, campaigns, and threat actors. TAXII is a protocol for exchanging STIX data over HTTPS. There are two TAXII server-client models: - Collection: Client pulls data from a server (e.g., 'get indicators from the feed'). - Channel: Server pushes data to subscribers (e.g., 'send alerts when new malware is identified').
Common TAXII API endpoints include /taxii2/collections/ to list available collections and /taxii2/collections/{id}/objects/ to retrieve STIX objects.
Threat Hunting Defined
Threat hunting is the proactive, iterative search for threats that evade existing security controls. It is hypothesis-driven, not event-driven. The hunter assumes a breach exists and seeks evidence using intelligence and telemetry. The three main hunting models are: - Structured Hunting: Based on a specific hypothesis derived from threat intelligence (e.g., 'Recent reports indicate that APT group X uses PowerShell Empire. Let's search for Empire stagers in our environment.'). - Unstructured Hunting: Triggered by an anomaly or curiosity (e.g., 'Why is this server beaconing to a new domain?'). - Situational Awareness Hunting: Driven by changes in the environment or threat landscape (e.g., 'After patching a critical vulnerability, are there signs of exploitation?').
The Hunting Loop
The hunting process follows a loop: 1. Hypothesis: Formulate a testable statement based on intelligence (e.g., 'Our network has active Cobalt Strike beacons'). 2. Collect Data: Gather relevant logs (e.g., NetFlow, DNS logs, process creation events). 3. Analyze: Use tools like SIEM queries, Python scripts, or manual inspection to find evidence. 4. Respond: If evidence found, escalate to incident response; if not, refine hypothesis or conclude. 5. Feedback: Document findings and update detection rules.
Key Hunting Techniques
Stack Counting: Group logs by a field (e.g., source IP, domain) and count occurrences; outliers indicate potential threats.
Baselining: Establish normal behavior (e.g., average DNS queries per hour) and alert on deviations.
Clustering: Group similar events using machine learning to find anomalous clusters.
Searching: Manually query specific IOCs or patterns (e.g., 'processes with network connections that were not initiated by user').
Tools and Data Sources
SIEM: Central log aggregation; queries like index=windows EventCode=4688 ParentImage=*winword.exe Image=*powershell.exe.
EDR: Endpoint detection and response; provides process trees, file modifications, registry changes.
Network Monitoring: Full packet capture, NetFlow, DNS logs, proxy logs.
Threat Intelligence Platforms (TIPs): Aggregate and correlate intelligence feeds; e.g., MISP, ThreatConnect.
Open Source Tools: YARA for file scanning, Sigma for SIEM rules, Zeek for network analysis.
Indicator Lifecycle and Management
IOCs have a limited useful life. The exam emphasizes: - Expiration: IOCs should have timestamps. Old IOCs generate false positives. - Tiering: Criticality levels (e.g., high-confidence IOCs from trusted sources vs. low-confidence from open feeds). - Automation: Use TIPs to automatically push IOCs to firewalls, SIEMs, and EDR. - False Positive Management: Regularly review and remove stale or invalid IOCs.
Cyber Kill Chain and MITRE ATT&CK
The Cyber Kill Chain (Lockheed Martin) describes seven stages of an attack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives. Threat hunting maps to specific stages; for example, hunting for C2 traffic targets the Command & Control stage.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques. Hunters use ATT&CK to formulate hypotheses (e.g., 'Search for T1055 Process Injection') and to map observed behaviors to known adversary groups.
Diamond Model
The Diamond Model characterizes intrusions using four core features: Adversary, Infrastructure, Capability, Victim. It helps analysts understand relationships and pivot between indicators (e.g., from a malware hash to a C2 domain used by the same adversary).
Pyramid of Pain
This model ranks indicators by difficulty for adversaries to change: - Hash Values: Easy to change (e.g., recompile malware with different hash). - IP Addresses: Moderately easy (use VPN, proxies). - Domain Names: Moderately hard (need to register new domain). - Network/Host Artifacts: Harder (e.g., specific registry keys, file paths). - Tools: Hard (adversary must develop new tools). - TTPs: Hardest (adversary must change behavior).
Hunters prioritize detecting TTPs over low-level IOCs because they are more persistent.
Verification Commands and Tools
YARA: yara -s myrule.yar file.exe
Sigma: sigmac -t splunk -c sigmac-config.yml sigma_rule.yml
TAXII Client: python3 taxii2-client.py --host https://taxii.example.com --collection 123
MISP: Query via API: curl -H 'Authorization: <key>' https://misp.local/events/index
Integration with Other Technologies
Threat intelligence feeds into SIEMs (e.g., Splunk ES Threat Intelligence Framework), firewalls (e.g., Palo Alto Networks Threat Prevention), and EDR (e.g., CrowdStrike Falcon Intelligence). The exam tests understanding of how to configure these integrations, such as setting up a STIX/TAXII feed in Splunk to auto-generate correlation searches.
Common Pitfalls
Over-reliance on IOCs: Attackers change IOCs quickly; hunting must focus on TTPs.
Ignoring False Positives: Without tuning, intelligence feeds can overwhelm analysts.
Lack of Feedback: If hunters do not provide feedback to intelligence sources, the lifecycle breaks and intelligence becomes stale.
Poor Hypothesis: Vague hypotheses lead to wasted effort. A good hypothesis is specific and testable (e.g., 'We have evidence of Emotet infection via macro-enabled documents; search for wscript.exe spawning from Outlook').
Define Intelligence Requirements
Start by identifying what intelligence is needed based on organizational risk. For example, a healthcare organization might need intelligence on ransomware groups targeting healthcare (e.g., Ryuk, Conti). Requirements should be specific: 'What are the latest phishing lures used against healthcare staff?' This step sets the scope for collection and prevents information overload. Document requirements in a formal Intelligence Requirements Document (IRD). The exam emphasizes that requirements must align with business objectives and threat model.
Collect Raw Data from Sources
Gather data from multiple sources: open-source (OSINT like AlienVault OTX, VirusTotal), commercial (Recorded Future, CrowdStrike), community (ISACs, MISP), and internal (previous incidents, honeypots). Use automated feeds via TAXII or manual scraping. Collection must be continuous and prioritized by requirement. For example, configure MISP to pull from a CIRCL feed every hour. Store raw data in a TIP or SIEM for processing. Ensure data quality by deduplicating and verifying source reliability.
Process Raw Data into Usable Format
Normalize collected data into a standard format like STIX 2.1. Extract IOCs (hashes, IPs, domains) and contextual information (threat actor, campaign). For example, a blog post about a new malware variant might be parsed to extract the SHA256 hash and add it to a STIX indicator object. Use tools like IntelMQ or custom scripts to automate parsing. Processing also includes enrichment: geolocate IPs, resolve domains, check reputation scores. The goal is to convert unstructured data into structured intelligence.
Analyze and Produce Intelligence
Human analysts review processed data to identify patterns, attribute to threat actors, and assess relevance. For example, if multiple IOCs are linked to APT29, the analyst produces a report summarizing the campaign, targeting, and recommended mitigations. Analysis uses frameworks like MITRE ATT&CK to map techniques (e.g., T1566 Phishing). The output is finished intelligence: strategic (executive summary), operational (campaign details), or tactical (IOC list). This step requires critical thinking to avoid confirmation bias.
Disseminate to Consumers
Deliver intelligence to the right audience in the right format. For SOC analysts, push IOCs to SIEM via TAXII feed. For hunters, provide a hunting hypothesis with specific queries (e.g., 'Search for DNS queries to domain malicious.xyz using this Splunk query'). For executives, send a one-page strategic summary. Use automated dissemination channels: TAXII collections, email alerts, API integrations. Ensure timely delivery; stale intelligence is useless. The exam tests understanding of TAXII collection vs. channel models.
Formulate Hunting Hypothesis
Based on disseminated intelligence, a threat hunter creates a testable hypothesis. Example: 'Intelligence indicates that APT29 is using HTML smuggling to deliver ISO files. I will search for process creation events where a browser (e.g., chrome.exe) spawns a process that writes an ISO file to disk.' The hypothesis should specify the data source (e.g., Windows Event ID 4688), the expected behavior, and the timeframe. A good hypothesis is narrow enough to be falsifiable but broad enough to catch variants.
Execute Hunt and Analyze Results
Collect the relevant telemetry (e.g., EDR logs, DNS logs) and apply the hypothesis. Use queries in SIEM or EDR. For example, in CrowdStrike Falcon, search: `event_simpleName=ProcessRollup2 AND ImageFileName=*\chrome.exe AND ParentBaseFileName=*\chrome.exe AND CommandLine=*--utility*`. Analyze results: if no matches, the hypothesis is disproven (good!); if matches found, investigate further to confirm malicious activity. Document findings, including false positives. The exam expects you to know how to pivot from one indicator to another using the Diamond Model.
Respond and Provide Feedback
If a threat is confirmed, escalate to incident response. If not, document the negative finding and update the intelligence lifecycle. Provide feedback to the intelligence team: 'The intelligence on HTML smuggling was accurate but the IOCs were too generic; our EDR blocked them, but we need more specific behavioral indicators.' This feedback refines future collection and analysis. Also, update detection rules (e.g., create a new Sigma rule) and share anonymized findings with the community via MISP.
Enterprise Scenario 1: Financial Institution Using Threat Intelligence for Fraud Prevention
A large bank receives strategic intelligence that a new banking trojan (e.g., Grandoreiro) is targeting Latin American customers via spear-phishing emails with malicious Excel attachments. The threat intelligence team processes this: they extract IOCs (hashes, C2 domains) and create STIX indicators. They push these via TAXII to the bank's SIEM (Splunk ES) and firewall (Palo Alto). The SIEM correlation search triggers on any process creation where Excel spawns a script. The firewall blocks the C2 domains. The hunting team formulates a hypothesis: 'Search for outbound connections to IPs in Brazil that are not typical for our customer base.' They use NetFlow data and find one infected workstation. Incident response contains it. Without intelligence, the bank would rely on signature updates, which might lag behind the trojan's rapid evolution. A common misconfiguration is failing to set IOC expiration: old C2 domains that are sinkholed generate false positives, causing analysts to ignore alerts.
Enterprise Scenario 2: Healthcare Provider Hunting for Ransomware
A hospital chain uses MITRE ATT&CK to map common ransomware techniques (e.g., T1486 Data Encrypted for Impact). They receive intelligence that a new ransomware variant, 'BlackCat,' uses intermittent encryption and spreads via PsExec. The threat hunting team creates a hypothesis: 'Search for PsExec execution (Event ID 4688 with Image=*\PsExec.exe) in the last 72 hours across all servers.' They use their EDR (CrowdStrike) to run the query. They find two servers where PsExec was run by an unknown account. Further investigation reveals the attacker used compromised credentials. The team isolates the servers and resets passwords. They provide feedback to the intelligence team: 'BlackCat is using PsExec but with a renamed binary; add YARA rule to detect renamed PsExec.' The hospital also configures their TIP to automatically block execution of signed PsExec binaries from untrusted sources. A pitfall: if the hunting hypothesis is too broad (e.g., 'search for any suspicious process'), it generates thousands of alerts, overwhelming the team.
Enterprise Scenario 3: Managed Security Service Provider (MSSP) with Multiple Clients
An MSSP ingests threat intelligence from 20+ feeds into a central TIP (ThreatConnect). They use TAXII to distribute client-specific intelligence. For a client in the energy sector, they filter intelligence to only include IOCs related to ICS-specific threats (e.g., TRITON malware). The hunting team runs weekly structured hunts based on the latest intelligence. For example, they search for suspicious Modbus traffic using Zeek logs. They also use the Pyramid of Pain to prioritize: they focus on detecting TTPs (e.g., use of native tools like wmic for lateral movement) rather than IP addresses. Performance consideration: the TIP must handle 100,000+ IOCs and deduplicate efficiently. A common misconfiguration is not tuning the TIP's confidence scores, leading to low-quality IOCs being blocked and causing business disruption (e.g., blocking a legitimate CDN domain that was flagged as malicious by a low-reputation feed).
What CS0-003 Tests on This Topic
Objective 1.1: 'Given a scenario, apply threat intelligence and threat hunting techniques.' The exam expects you to:
Distinguish between IOC and IOA.
Identify the correct phase of the intelligence lifecycle.
Choose the appropriate hunting model (structured, unstructured, situational awareness).
Apply the Pyramid of Pain to prioritize detection.
Interpret STIX/TAXII concepts (e.g., collection vs. channel).
Map threats to MITRE ATT&CK tactics.
Use the Diamond Model for pivoting.
Understand the Cyber Kill Chain stages.
Common Wrong Answers and Why Candidates Choose Them
Confusing IOC with IOA: Candidates see an indicator like 'file hash' and think it's an IOA because it indicates an attack. Reality: A file hash is an IOC (evidence of compromise), not an IOA (behavior indicating an ongoing attack). The exam tests this distinction in scenario questions.
Choosing 'Collection' over 'Analysis' in the lifecycle: When asked what phase turns raw data into intelligence, candidates often pick 'Collection' because they think gathering data is the key step. Reality: Analysis is where raw data becomes finished intelligence. Collection is just gathering.
Selecting 'Unstructured Hunting' when the scenario describes a specific intelligence report: Unstructured hunting is triggered by an anomaly, not by intelligence. If the scenario says 'based on a new threat report,' the correct answer is structured hunting.
Misapplying the Pyramid of Pain: Candidates might think IP addresses are hardest to change because they are tied to infrastructure. Reality: IPs are easy to change (proxies, VPN), while TTPs are hardest. The exam might ask which indicator type causes the most pain for adversaries.
Confusing TAXII models: A question might describe a 'push' model, and candidates select 'Collection' instead of 'Channel.' Remember: Collection = pull, Channel = push.
Specific Numbers and Terms That Appear Verbatim
STIX version 2.1 is the current standard.
TAXII API endpoints: /taxii2/collections/.
Cyber Kill Chain: 7 stages (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives).
MITRE ATT&CK: Over 200 techniques; exam focuses on common ones like T1566 (Phishing), T1059 (Command and Scripting Interpreter), T1047 (WMI).
Pyramid of Pain: Six levels (Hash, IP, Domain, Host/Network Artifacts, Tools, TTPs).
Edge Cases and Exceptions
False positives in intelligence: The exam may present a scenario where an IOC is legitimate but from an untrusted source. Candidates must recognize that not all IOCs are actionable; confidence scoring matters.
Hunting with no hypothesis: This is called 'unstructured hunting' and is valid when triggered by an anomaly. The exam tests that hypothesis-driven hunting is more efficient.
Negative hunting results: A hunt that finds nothing is still valuable; it disproves the hypothesis and should be documented.
Intelligence sharing restrictions: Some intelligence is classified or subject to TLP (Traffic Light Protocol). The exam may ask about appropriate sharing based on TLP color (RED, AMBER, GREEN, WHITE).
How to Eliminate Wrong Answers
If the question mentions 'proactive' and 'assume breach,' think hunting.
If it mentions 'based on a specific intelligence report,' it's structured hunting.
If it mentions 'anomalous behavior,' it's unstructured hunting.
If it asks about 'the hardest indicator for an adversary to change,' think TTPs.
If it asks about 'the phase where raw data becomes intelligence,' think Analysis.
If it asks about 'real-time detection of attack in progress,' think IOA.
If it asks about 'standardized format for sharing threat intelligence,' think STIX.
If it asks about 'protocol for exchanging intelligence,' think TAXII.
Threat intelligence is data that has been analyzed and contextualized; raw data is not intelligence.
The intelligence lifecycle: Requirements → Collection → Processing → Analysis → Dissemination → Feedback.
STIX is the standardized language for threat intelligence; TAXII is the protocol for exchanging it.
Threat hunting is proactive, hypothesis-driven, and assumes a breach already exists.
Three hunting models: structured (intelligence-driven), unstructured (anomaly-driven), situational awareness (environment change-driven).
Pyramid of Pain: TTPs are hardest for adversaries to change; hashes are easiest.
MITRE ATT&CK provides a common taxonomy for describing adversary techniques; Cyber Kill Chain describes stages of an attack.
Diamond Model: Adversary, Infrastructure, Capability, Victim — used for pivoting and analysis.
IOCs have a limited lifespan; always set expiration dates and confidence scores.
Feedback from hunting results improves intelligence quality and refines future collection.
These come up on the exam all the time. Here's how to tell them apart.
IOC (Indicator of Compromise)
Forensic evidence of a past breach (e.g., file hash, IP address).
Detected after compromise has occurred.
Static; can be changed by adversary easily.
Used for detection of known threats.
Example: MD5 hash of malware.exe.
IOA (Indicator of Attack)
Real-time behavior indicating an ongoing attack (e.g., process spawning unusual child).
Detected while attack is in progress.
Dynamic; adversary behavior is harder to change.
Used for proactive detection of novel threats.
Example: PowerShell connecting to an external IP without user initiation.
Mistake
Threat intelligence is only about collecting IOCs.
Correct
IOCs are just one part of tactical intelligence. Threat intelligence includes strategic, operational, and technical levels. The exam emphasizes that intelligence must provide context (who, why, how) to be actionable. Collecting IOCs without analysis is just data, not intelligence.
Mistake
Threat hunting is the same as incident response.
Correct
Incident response is reactive (triggered by an alert). Threat hunting is proactive (initiated by a hypothesis). Hunters look for threats that evaded existing controls. The exam tests this distinction: hunting is not waiting for an alert; it's actively searching.
Mistake
STIX and TAXII are interchangeable terms.
Correct
STIX is the language (content format), TAXII is the transport protocol. You can use STIX without TAXII (e.g., via email), and TAXII can transport non-STIX data (though typically STIX). The exam may ask which one defines the data structure (STIX).
Mistake
The Cyber Kill Chain and MITRE ATT&CK are the same.
Correct
The Cyber Kill Chain is a linear model of attack stages. MITRE ATT&CK is a matrix of tactics and techniques that can occur at any stage. ATT&CK is more granular. The exam expects you to know both and when to use each: Kill Chain for high-level stages, ATT&CK for detailed technique mapping.
Mistake
All IOCs should be blocked immediately without review.
Correct
IOCs from low-confidence sources can cause false positives that disrupt operations. The Pyramid of Pain teaches that blocking IPs is easy for adversaries to bypass. The exam emphasizes risk-based prioritization: verify IOCs against internal context before blocking.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Structured hunting starts with a hypothesis based on threat intelligence (e.g., 'IOCs suggest APT29 is using PowerShell Empire; search for Empire stagers'). Unstructured hunting is triggered by an anomaly or curiosity (e.g., 'Why is this server beaconing to a strange IP?'). Structured is more efficient because it narrows the search space. The exam expects you to identify the correct model based on scenario descriptions.
TAXII (Trusted Automated Exchange of Intelligence Information) is a protocol for exchanging STIX data over HTTPS. It has two models: Collection (client pulls data from server) and Channel (server pushes data to subscribers). Common endpoints: `/taxii2/collections/` to list collections, `/taxii2/collections/{id}/objects/` to retrieve STIX objects. The exam may ask which model is used for real-time alerting (Channel).
The Pyramid of Pain ranks indicators by how difficult they are for adversaries to change. From bottom (easiest) to top (hardest): Hash Values, IP Addresses, Domain Names, Network/Host Artifacts, Tools, TTPs. The higher up, the more pain for the adversary. Defenders should focus on detecting TTPs (e.g., specific behaviors like credential dumping) rather than low-level IOCs. The exam tests this concept in prioritization questions.
The Diamond Model has four core features: Adversary (the threat actor), Infrastructure (C2 servers, domains), Capability (malware, tools), and Victim (target organization). It also includes meta-features like timestamp, phase, and confidence. Analysts use it to connect related events (e.g., pivoting from a malware hash to a C2 domain used by the same adversary). The exam may ask you to identify which component is missing in a scenario.
Most SIEMs (e.g., Splunk ES, QRadar) support threat intelligence feeds via TAXII or API. In Splunk, you configure a Threat Intelligence Framework input: go to Settings > Threat Intelligence > Add New Feed, select TAXII, enter the server URL and collection ID. The SIEM then automatically downloads IOCs and correlates them with incoming events. The exam may test understanding of this integration, including the need to set expiration and confidence.
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform that allows organizations to share, store, and correlate IOCs. It supports STIX import/export and has a REST API for automation. The exam might ask about MISP as a tool for collaborative intelligence sharing, especially within ISACs. Key features: event creation, correlation, and automatic feed generation.
A good hypothesis is specific, testable, and based on intelligence. It should include: the threat (e.g., 'Emotet'), the expected behavior (e.g., 'spawns wscript.exe from Outlook'), the data source (e.g., Windows Event ID 4688), and a timeframe (e.g., 'last 7 days'). Example: 'Based on recent intelligence, Emotet is delivered via malicious Excel attachments. I will search for process creation events where excel.exe spawns wscript.exe or cmd.exe in the past 48 hours.' Avoid vague hypotheses like 'look for bad stuff.'
You've just covered Threat Intelligence and Threat Hunting — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?