ExercisesSOC Operations Language › Threat Hunting

Threat Hunting

5 questions · SOC Operations Language

1. An analyst develops a hypothesis that attackers may be using PowerShell to download malware, then searches SIEM data for evidence rather than waiting for automated alerts. What activity is this?
2. A threat hunter uses the MITRE ATT&CK framework to identify which techniques are relevant to a known threat actor targeting their industry, then searches for evidence of those techniques in logs. What is the threat hunter using ATT&CK for?
3. A specific file hash, IP address, or registry key that indicates a system has been compromised is called:
4. Unlike IOCs (specific artefacts), IOAs describe what an attacker is doing behaviourally — for example, 'a process injecting into a browser then making outbound HTTPS connections.' What does IOA stand for?
5. After 2 weeks of hunting with no findings, the analyst documents the scope, data sources searched, hypotheses tested, and the conclusion that the environment shows no evidence of the targeted TTP. What is this documentation?

Exercise complete!

out of 5 questions