Abstract
Modern adversaries rarely rely on single techniques, they operate across endpoints, identity systems, and cloud environments, leaving behind fragmented signals that traditional detection approaches often miss.
This training delivers a hands-on, telemetry-driven approach to modern threat hunting and detection engineering across on-premises and cloud environments.
Participants will learn core hunting methodologies, detection engineering, and hands-on log analysis using Splunk Enterprise. The course also covers malware detection with YARA and integrating threat intelligence using OpenTAXII and MISP.
Through real-world attack scenarios across On-Premises, Active Directory, and Azure, along with data-driven hunting using Python and machine learning, participants will gain practical skills to detect, investigate, and respond to advanced threats at scale.
Course Content
Module 1: Threat Hunting Foundations & Methodology
- Understand proactive threat hunting and SOC integration models
- Apply the Pyramid of Pain to prioritize detections
- Use the Diamond Model of Intrusion Analysis to analyze adversary behavior
- Perform hypothesis-driven threat hunts
- Map detections to MITRE ATT&CK techniques
Module 2: SIEM-Based Detection Engineering with Splunk
- Understand Splunk architecture, components, and data pipelines
- Write efficient SPL queries for threat hunting
- Build detections, alerts, and scalable search workflows
- Organize and manage security data for high-fidelity detection
Module 3: Malware Hunting & Detection Engineering
- Apply detection engineering principles on real APT malware samples
- Perform malware hunting using known APT toolmarks and signatures
- Integrate YARA with SIEM pipelines for automated detection
Module 4: Threat Intelligence Driven Hunting
- Leverage intelligence-driven hunting methodologies
- Understand STIX/TAXII frameworks and threat data sharing
- Enrich and correlate telemetry with IOC intelligence
- Perform hunts using real-world threat intelligence feeds
Module 5: On-Premises Threat Hunting
- Reconstruct enterprise attack paths used by APT groups
- Initial access techniques :-
- Spear-phishing attachments (APT28, APT29)
- Credential access :-
- Credential dumping (APT29)
- Lateral movement & persistence :-
- Proxy-based C2 routing and internal pivoting (APT28)
- Registry Manipulation (APT 29)
- Scheduled Tasks (Indian APT SideWinder)
- Data Exfiltration :-
- DNS Query (APT 29)
- File Storage Services (APT 32)
- Detect long-term stealthy persistence typical of APT campaigns
Module 6: Active Directory Attack Detection & Hunting
- Analyze AD-focused attack techniques used by APT groups
- Detect identity-based attacks
- Pass-the-Hash, Kerberoasting, ticket abuse (APT29)
- Hunt for domain dominance techniques :-
- Privilege escalation and persistence in AD environments
- Identify abnormal behaviour :-
- Unusual Authentication
- Ticket Anomalies
- Correlate AD logs with known APT behaviors and TTPs
- Build detections mapped to real-world identity attack scenarios
Module 7: Cloud Threat Hunting (Azure / Entra ID)
- Understand how APT groups target cloud and identity providers
- nalyze cloud attack paths used by APT groups :-
- Midnight Blizzard/APT 29
- Storm Blizzard/APT 28
- Use Entra ID telemetry for detection and investigation of real-world cloud attack scenarios
Module 8: Advanced Data-Driven Hunting with Machine Learning
- Use Python and notebooks for large-scale hunting
- Process and analyze high-volume security datasets
- Apply anomaly detection techniques
- Visualize and investigate anomalies effectively
- Reduce false positives and improve detection accuracy
- Integrate ML-driven insights into hunting workflows
Course Learning Outcomes
By the end of this training, participants will be able to:
- Perform hypothesis-driven threat hunting using real-world threat intelligence feeds
- Build detections, alerts, and scalable search workflows in Splunk
- Write and optimize YARA rules for malware detection
- Detect identity-based attacks in Active Directory environments
- Analyze attack paths in Azure cloud environments and build detections for real-world attack scenarios
- Use Python for large-scale hunting
- Integrate ML-driven insights into hunting workflows
Pre-requisite
- Basic understanding of cybersecurity concepts and attack techniques
- Familiarity with networking fundamentals (TCP/IP, DNS, HTTP/HTTPS)
- Working knowledge of operating systems (Windows/Linux basics)
- Exposure to security logs and SIEM concepts
- Basic scripting knowledge (Python preferred, but not mandatory)
- Understanding of Azure cloud fundamentals is beneficial but not mandatory
What Attendees Will Get
- Hands-on experience with real-world threat hunting scenarios
- Practical labs covering SIEM, cloud, and data-driven hunting
- Exposure to industry tools like Splunk Enterprise, OpenTAXII, and MISP
- Ready-to-use detection queries and hunting techniques
- Lab datasets and pre-configured environments for practice
- End-to-end understanding of attack paths across On-Premises, Active Directory, and Azure Environment
Who Should Attend
- Security Analysts (SOC Analysts Tier 1/2/3)
- Threat Hunters and Detection Engineers
- Incident Responders and Blue Team Professionals
- Cyber Threat Intelligence Analysts
- Cloud Security Engineers
- Security Engineers and SOC Leads
- Professionals looking to transition into threat hunting roles
- Anyone interested in proactive detection and advanced threat analysis
What Students Should Bring
- Laptop with a 64-bit (AMD64/x86_64) processor architecture, minimum 16 GB RAM and 60–80 GB free disk space
- Ability to run VMware Workstation Pro hypervisor
- A modern web browser and terminal environment
[ Note: Systems with Apple Silicon (M-series) or other ARM-based CPUs are not supported ]
What Not to Expect
- 0-day exploits will not be covered
- Deep dive into malware reverse engineering or exploit development
- Fully automated “one-click” detection solutions
