Table of Contents
SIEM platforms are the primary hunting ground for most threat hunting activity. They centralize log data from across your environment into a queryable form and provide the correlation, timeline, and search capabilities hunters need to investigate hypotheses. Hunting in SIEM means writing queries to search for suspicious patterns, anomalies, and attacker behaviors across your log data. How effectively you can hunt depends heavily on what data your SIEM ingests, how well it’s tuned, and how skilled your hunters are with its query language.
The role of SIEM in threat hunting operations
SIEM platforms solve the core operational challenge of threat hunting: data is scattered across dozens of systems in your environment, and hunters need it all in one place in a form they can search. A well-configured SIEM centralizes logs from endpoints, network devices, cloud infrastructure, identity providers, and applications, making it possible to hunt across the entire environment from a single interface.
For hunters, SIEM provides three essential capabilities: historical data access (going back days, weeks, or months to find earlier evidence of activity), cross-source correlation (linking events across different systems to reconstruct attack sequences), and flexible querying (searching for patterns and anomalies in ways that static detection rules can’t).
Query languages for SIEM hunting
SIEM query languages are how hunters translate hypotheses into searches. The two most widely used are:
Kusto Query Language (KQL): Used in Microsoft Sentinel and Microsoft Defender platforms. KQL is powerful for filtering, aggregating, and correlating large datasets. It supports complex joins across tables, time-based windowing, and statistical functions useful for anomaly detection and stack counting.
Splunk Processing Language (SPL): Used in Splunk. SPL follows a pipeline structure (similar to command-line pipes) and is particularly strong for statistical analysis, report generation, and custom data transformations. Its stats command is particularly useful for stack counting and outlier detection.
Both languages reward investment. Hunters who can write complex, efficient queries can investigate vastly more ground in a given time than those limited to basic searches.
Building effective hunting queries
Effective hunting queries start from the hypothesis and work backward to the data. Before writing a query, answer: what behavior am I looking for, in which data source, over what time window, and what does it look like when it’s present vs. absent?
A query for credential-based lateral movement, for example, might look for authentication events from a specific source account to an unusual number of destination systems within a defined time window, filtering out known scheduled tasks and service accounts to reduce noise.
Good hunting queries are iterative. Start broad to understand the data landscape, then narrow based on what you see. What looks suspicious in the broad results? Dig into those. What’s clearly legitimate? Filter it out.
Critical SIEM data sources for hunting
The value of SIEM-based hunting depends directly on what data sources are flowing in. The most important for hunting:
- Authentication and identity logs: Login events, privilege escalation, account creation, and password changes. Critical for detecting credential-based attacks, lateral movement, and persistence mechanisms.
- Endpoint process and file logs: Process creation, file modifications, and registry changes from endpoints. Essential for detecting malware execution, living-off-the-land techniques, and persistence.
- Network flow and DNS logs: Connection records and DNS queries. Valuable for detecting command-and-control traffic, data exfiltration, and lateral movement.
- Cloud audit logs: API calls, configuration changes, and resource access in cloud environments. Increasingly critical as attacks target cloud infrastructure.
- Email logs: Message flow, attachment metadata, and link clicking. Valuable for hunting phishing campaigns and initial access through email.
SIEM hunting use cases and examples
Lateral movement detection: Query authentication logs for accounts making successful logins to an unusual number of systems within a short window, particularly systems they haven’t accessed before and during off-hours.
Credential harvesting: Look for processes that typically indicate credential dumping tools (like LSASS memory access patterns) in endpoint logs, filtered against known legitimate administrative activity.
Living off the land persistence (LOTL): Search for scheduled tasks, services, or registry run keys created recently that don’t match your known-good baseline, particularly those executing scripts or encoded commands.
DNS-based C2 detection: Identify systems making unusually high volumes of DNS queries, particularly to newly registered domains or domains with randomized subdomains (common in domain generation algorithm-based C2).
Best practices for SIEM-based hunting
Hunt from baselines, not rules. Rules define what you know is bad. Baselines define what normal looks like. The most valuable SIEM hunting searches for deviations from your specific environment’s normal behavior, which requires investing in building and maintaining those baselines.
Keep a hunting query library. Document effective queries and reuse them. A library of tested, environment-specific queries significantly accelerates future hunts and builds institutional knowledge.
Integrate threat intelligence. Connect threat intelligence to your SIEM so that new indicators can be quickly searched against historical and real-time data. Many SIEM platforms support native threat intelligence integration.
Validate your data sources regularly. Hunting in a SIEM that has silent data source failures produces false confidence. Before running a hunt, verify that the data sources your hypothesis requires are actually flowing correctly.
Integrating SIEM with other hunting tools
SIEM works best as the central hunting hub connected to more specialized tools. EDR platforms provide deeper endpoint telemetry than most SIEMs store natively. Hunters often start a hypothesis in SIEM and pivot to EDR for detailed endpoint forensics. Threat intelligence platforms enrich SIEM data with context about known indicators and attacker behaviors. Network detection tools add visibility into traffic patterns that SIEM log data doesn’t fully capture.
The most effective SIEM hunting setups allow easy pivoting between tools. You’ll start a query in SIEM, click through to EDR for endpoint detail, and enrich findings with threat intel without losing the investigation thread.
Frequently asked questions
Can I threat hunt with just a SIEM and no EDR?
Yes, but with limitations. SIEM-based hunting using log data can surface many threat indicators—authentication anomalies, network behavior, process execution (if endpoint logs are flowing in). Without EDR, you lose deep endpoint telemetry (memory artifacts, fine-grained process trees, file system changes) that’s often needed for definitive confirmation of endpoint-based attacks. Log-based SIEM hunting is a meaningful starting point; adding EDR data significantly expands what you can find.
What SIEM is best for threat hunting?
This depends on your environment and team. Microsoft Sentinel is strong for Microsoft-centric environments and has grown quickly in hunting capability, particularly with its built-in UEBA and threat intelligence integration. Splunk has the broadest ecosystem of hunting content, apps, and community resources. Google Security Operations is designed for high-volume log ingestion at cloud scale. Evaluate based on your data volumes, existing environment, and which query language your team has (or can build) proficiency in.
How do I know if my SIEM data is good enough to hunt in?
Check three things: completeness (are all expected data sources actually flowing in?), accuracy (are events parsing correctly with expected field values?), and timeliness (are events arriving promptly enough for real-time hunting?). A hunt built on incomplete or delayed data can produce false confidence. Run a data quality check before major hunts.
What’s the relationship between SIEM detection rules and threat hunting?
Detection rules are automated. They run continuously and alert when specific patterns match. Hunting is analyst-driven—it investigates hypotheses that rules don’t cover. The relationship is cyclical: hunting finds threats that rules missed, those findings generate new rule ideas, new rules catch future instances automatically, freeing hunting capacity to investigate new unknowns.