Effective threat hunting queries help you find what automated detections miss. Here’s my approach to building them.
Start with a Hypothesis
Before writing a query, form a hypothesis about adversary behavior. Instead of “check for PowerShell activity,” try “threat actors may use encoded PowerShell commands to download payloads.”
This frames your hunt around specific TTPs rather than casting a wide net.
Build Queries That Surface Anomalies
Here’s a query for hunting suspicious PowerShell usage: