Building Effective Threat Hunting Queries

Effective threat hunting queries help you find what automated detections miss. Here’s my approach to building them.

Start with a Hypothesis

Before writing a query, form a hypothesis about adversary behavior. Instead of “check for PowerShell activity,” try “threat actors may use encoded PowerShell commands to download payloads.”

This frames your hunt around specific TTPs rather than casting a wide net.

Build Queries That Surface Anomalies

Here’s a query for hunting suspicious PowerShell usage:

1
2
3
4
5

index=endpoint EventCode=1 
Image="*powershell.exe" 
(CommandLine="*-enc*" OR CommandLine="*DownloadString*")
| stats count by User, Computer, CommandLine
| where count < 5

This surfaces infrequent encoded commands or download strings — patterns that may indicate initial access or lateral movement attempts.

Hunt in Focused Time Windows

Start with a specific timeframe tied to your hypothesis. If investigating a potential incident, look at the hours surrounding suspicious activity. For proactive hunting, sample recent data incrementally.

Review results thoroughly. Hunting is investigative, not automated — every result deserves analysis.

Ask: Does This Advance the Hunt?

Each query result should either:

• Confirm or refute your hypothesis
• Reveal new patterns to investigate
• Provide pivot points for deeper analysis

If you’re seeing noise without context, refine your scope or adjust your hypothesis.

Document Your Hunt

Record your hypothesis, queries used, findings, and conclusions. This creates institutional knowledge and helps you build better hunts over time. Note which patterns proved valuable and which led nowhere.

Good threat hunting queries are investigative tools, not alerts. They help you proactively search for threats hiding in your environment.