Cyber Threat Hunting with AI, Splunk & Jupyter

Introduction to different threat hunting methodologies to explore how it is done in real life. Here we are going to discuss about Threat Hunting maturity model and how it is achieved.

In threat hunting, understanding various data sources is essential to uncover hidden threats and anomalous behavior. Key sources include endpoint telemetry (e.g., Sysmon, EDR), which provides insights into process execution, file modifications, and network activity. Network logs (like firewall, proxy, DNS) help trace lateral movement, C2 communication, or data exfiltration attempts. Authentication logs (e.g., Windows Event Logs, Azure AD, VPN) reveal abnormal access patterns or credential misuse. Email logs detect phishing attempts or malicious attachments, while cloud logs (e.g., AWS CloudTrail, Azure Activity Logs) expose unauthorized changes in cloud infrastructure. Combining these diverse sources enables threat hunters to correlate events, build attack timelines, and identify tactics aligned with the MITRE ATT&CK framework enhancing detection accuracy and reducing dwell time in compromised environments.

Threat hunting relies on a range of tools that help analysts detect, investigate, and respond to advanced threats. SIEM platforms like Splunk and Elastic collect and correlate logs from across the environment, offering powerful search and visualization capabilities. Threat intelligence platforms (TIPs) like MISP enrich hunts with context about IOCs and threat actor behavior. Tools like Velociraptor and Sysmon aid in live endpoint investigations and logging, while Jupyter Notebooks enable hypothesis-driven, code-based analysis.

This section will provide a high-level overview of the MITRE ATT&CK Framework and its importance in threat hunting. You'll learn what the framework is, how it organizes real-world attacker behaviors into tactics and techniques, and why it's a valuable reference for cybersecurity professionals. The section will explain how MITRE helps threat hunters map suspicious activity to known adversary methods, develop hunting hypotheses, and improve detection strategies. By the end, you'll understand how to use the framework to guide your investigations, enhance your threat visibility, and align your efforts with proven attack models used across the industry.

This section will explain how to practically use the MITRE ATT&CK Framework in threat hunting operations. You’ll learn how to align your hunting hypotheses with specific MITRE tactics and techniques

You’ve explored the MITRE ATT&CK framework and used the Navigator but what’s next? In this video, we show you how to make ATT&CK actionable by building a Hunt Matrix that maps real-world techniques to your visibility and detection tools. Learn how to track which tactics your environment can detect, identify blind spots, and align your threat hunting with actual log sources like Sysmon, EDR, DNS, and Proxy. Whether you’re a SOC analyst or a threat hunter, this video helps you move from reading techniques to actually hunting them.

This section will introduce the foundational concepts of data science and how they relate to cybersecurity and threat hunting. You’ll learn what data science is, including core components like data collection, cleaning, analysis, and visualization. We’ll briefly explore key techniques such as statistical analysis, clustering, and anomaly detection, which help uncover hidden patterns in large datasets. The section will also touch on tools commonly used in data science, like Python, pandas, and Jupyter Notebooks. By the end, you’ll have a clear understanding of how data science empowers threat hunters to work with massive log volumes, spot outliers, and turn raw data into actionable security insights. This sets the stage for using machine learning and automation in more advanced hunting scenarios.

This section will cover how to use the Python library pandas to structure, clean, and prepare log data for threat hunting analysis. You’ll learn how to load logs from common formats like CSV and JSON, explore the data using DataFrames, and handle missing or inconsistent values. We’ll walk through key operations such as filtering specific events, converting timestamps, and normalizing fields for easier analysis. This section will also show how to merge logs from different sources and create new columns for enriched insights. By the end, you’ll be able to confidently use pandas to transform raw logs into a structured format—making it easier to detect anomalies, build hypotheses, and visualize potential threats.

This section will explain what data parsing is, how it’s performed, and why it plays a critical role in threat hunting. You’ll learn how parsing involves extracting relevant fields from raw log entries—like timestamps, IP addresses, user actions, and process names—and converting them into a structured format for analysis.

In part 2 we’ll explore common parsing techniques using tools like pandas, regular expressions, or built-in parsers in SIEMs. The section will also highlight the importance of consistent and accurate parsing to ensure logs are usable, searchable, and mappable to MITRE techniques. By the end, you’ll understand how proper data parsing enables better filtering, enrichment, correlation, and ultimately, more reliable threat detection.

This section will introduce methods for feature engineering in cybersecurity and explain how they help improve threat detection. You’ll learn how to create meaningful features from raw log data—such as session duration, process tree depth, file access frequency, or failed login counts—that can highlight abnormal behavior.

This section will explore visual techniques used to identify behavioral patterns in cybersecurity data. You’ll learn how visualization helps uncover anomalies, trends, and suspicious activities that may be missed in raw log formats.

This section will show how to use Python libraries like matplotlib and seaborn to visualize and detect patterns in log data during threat hunting. You’ll learn how to create line plots, bar charts, heatmaps, and box plots to reveal spikes in activity, time-based anomalies, or unusual user behavior. We’ll cover how to group and plot events like failed logins, process executions, or network connections to highlight trends and outliers.

Visualization techniques help transform complex security data into intuitive charts, graphs, and patterns that analysts can easily interpret.

By using heatmaps, timelines, bar charts, and network graphs, security teams can spot anomalies, track attacks, and communicate findings effectively.

A strong grasp of visualization methods enhances threat detection, incident response, and executive reporting in cybersecurity.

In this section, we will learn how to design custom visualizations using real security data. You'll choose the right chart types—like timelines, bar graphs, or heatmaps based on the kind of threat or pattern you're investigating. By the end, you'll be able to build dashboards that help uncover anomalies and support faster decision-making during incident response.

You’ve learned what security-focused visualization is and how to build your own—but which ones actually help you hunt threats faster? In this video, we walk through real examples of powerful visualizations used by SOC analysts and threat hunters. From detecting beaconing with inter-arrival time plots to spotting lateral movement through connection graphs, we break down how visuals reveal what raw logs can't.

Introduction to the section, key topics to be covered, and call to action.

This section will introduce the concept of unsupervised learning and its relevance in cybersecurity threat hunting. You’ll learn that unsupervised learning is a type of machine learning where the model is not given labeled data—it instead tries to find hidden patterns, groupings, or anomalies on its own.

This section will explain how to use scoring metrics like precision, recall, and visual validation to evaluate the performance of threat detection models. You’ll learn what these metrics mean—precision measures how many detected threats are actually correct, while recall shows how many real threats were successfully identified.

This section will guide you through the process of identifying optimal models for cybersecurity threat detection using data science techniques. You’ll learn how to compare different machine learning models—such as decision trees, random forests, or anomaly detection algorithms

This section will walk you through how to apply the Isolation Forest algorithm to detect login anomalies in cybersecurity data. You’ll learn how Isolation Forest works by isolating rare data points—making it effective for spotting unusual login times, IP addresses, or user behaviors without needing labeled data.

This section will explain how to identify suspicious login events using clustering techniques in cybersecurity data analysis. You’ll learn how clustering groups similar login behaviors—such as time of access, user location, and device type—into clusters, making it easier to spot outliers that don’t fit the normal pattern

This section will demonstrate how to correlate events using different data sources to uncover complex attack patterns. You’ll learn how to combine logs from endpoints, firewalls, authentication systems, and network devices to build a timeline of attacker behavior.

This section will cover the critical challenges of noise, false positives, and model assumptions in cybersecurity threat detection. You’ll learn what noise is irrelevant or benign data that can overwhelm your analysis and how it leads to false positives that waste analyst time. We’ll explain how to reduce noise through data filtering, feature selection, and threshold tuning.

This section will compare and explain three popular anomaly detection techniques used in cybersecurity: Isolation Forest, Entropy Detection, and Z-Score Analysis. You’ll learn how Isolation Forest isolates anomalies based on how easily data points can be separated, making it effective for identifying rare login attempts or process executions. Entropy Detection focuses on measuring randomness in data such as unusual file names or DNS queries—highlighting possible obfuscation or exfiltration attempts.

This section will help you understand when and why to choose a specific model or algorithm during different stages of threat hunting. You’ll learn how simpler techniques like Z-Score Analysis are ideal for quick, interpretable detection of numeric anomalies in login counts or event frequency. When dealing with high-dimensional or unlabeled data, Isolation Forest becomes valuable for detecting subtle, rare behaviors without prior knowledge.

Introduction to the section, key topics to be covered, and call to action.

How a SIEM tool e.g Splunk works abd what is it’s architecture. In this section, you will learn how a SIEM tool like Splunk works and understand its core architecture. You'll explore how Splunk collects, indexes, and stores data from multiple sources, making it searchable in real time. This section will also cover key components such as forwarders, indexers, search heads, and how they interact to provide centralized visibility, alerting, and threat detection across your environment.

This section will introduce you to log ingestion in Splunk, a critical step in preparing data for threat hunting and analysis. You’ll learn how Splunk collects, processes, and indexes data from various sources

Perform and write some basic SPL queries to understand how Splunk works. In this section, you will learn how to perform and write some basic SPL (Search Processing Language) queries to understand how Splunk works. You'll start with simple searches to retrieve logs, use filters to narrow down results, and apply commands like stats, timechart, and top to extract insights from the data. By the end, you'll be able to search logs by keywords, filter by time or field values, and generate basic visualizations that showcase Splunk’s powerful search capabilities.