I recently moderated a live event (which has been recorded and can be accessed here, with registration), about how to do threat hunting using Corelight’s Investigator tool. My partner is Mark Overholser, who is their technical marketing engineer. Mark is an accomplished threat hunter and veteran of numerous Black Hat SOC tours of duty, so he has seen a lot of wonky circumstances go across his screens.

We talk about why being proactive is important in learning how to hone your investigations, how to use the MITRE ATT&CK foundation (shown above) and schema to hone your focus and guide your efforts.  (I wrote about the evolution of ATT&CK for CSO back in 2021 here), We also discuss how to drill down to suss out what is going on across your network. .

Corelight also has an excellent threat hunting guide that is keyed to the ATT&CK categories, with loads of suggestions to how you can leverage it to help in your hunts.