Sanitized project evidence | Cybersecurity | Threat hunting

Advanced Threat Hunting

Turning attacker behaviour into hunt questions, telemetry requirements and practical investigation logic.

Public portfolio version: I removed names, class details and private document information. This page shows the project approach and evidence in a safe format recruiters can review.

Project focus

Threat hunting as proactive analysis

The project explained how threat hunting differs from SOC alert triage, incident response and detection engineering. The emphasis was on asking better questions before an alert exists, then proving or disproving those questions with telemetry.

My contribution

Led the core analysis

I led the work, completed the main research and produced the written deliverable. The strongest part of the work was translating security theory into testable investigation logic that a technical team could use.

Method

From behaviour to hunt logic

1 Hypothesis

Define suspicious behaviour in a way that can be tested.

2 Telemetry

Map the logs and signals needed to confirm or reject the hypothesis.

3 Hunt question

Turn the behaviour into practical questions analysts can investigate.

4 Action

Document the result, tune detections and recommend the response path.

Key Concepts Covered

  • Hypothesis-driven hunting and testable assumptions
  • IOC-based detection compared with TTP-focused hunting
  • Windows Event Logs, Sysmon, DNS logs, proxy logs, EDR process trees and cloud audit logs
  • MITRE ATT&CK T1078: Valid Accounts
  • Cyber Kill Chain critique and behaviour-based hunting

T1078 Hunt Questions

  • Are legitimate accounts logging in outside normal working patterns?
  • Are accounts performing actions beyond their usual role?
  • Are there simultaneous logins from locations that should be impossible?
  • Do privilege changes appear shortly after unusual authentication events?

Example Query Logic

  • Filter successful authentication events outside normal hours.
  • Group account activity within short time windows to detect impossible travel or unusual user-agent changes.
  • Correlate authentication events with sensitive resource access or privilege changes.
  • Reduce false positives with user baselines, VPN allowlists and multi-signal correlation.

Recruiter Takeaway

This project shows cybersecurity reasoning, analytical writing, MITRE ATT&CK literacy and the ability to translate attacker behaviour into structured investigation work. It supports junior cybersecurity analyst, SOC analyst, QA analyst and systems analyst roles where security awareness matters.

Back to Case Study View Skills