VENDOR HUNTING OPERATIONS

Platform-specific hunting procedures and queries

10+ PLATFORMS COVERED
FIELD-TESTED PROCEDURES
COPY-PASTE READY
OVERVIEW
CrowdStrike Falcon
Microsoft Defender
SentinelOne
Checkpoint Harmony
Carbon Black
Cortex XDR
Splunk
Elastic/ELK
Microsoft Sentinel
Zeek/Bro

>> HUNTING OPERATIONS GUIDE


This guide provides platform-specific hunting procedures for common security operations. Each section includes:



>> COVERED PLATFORMS


EDR PLATFORMS

• CrowdStrike Falcon
• Microsoft Defender for Endpoint
• SentinelOne
• Checkpoint Harmony Endpoint
• Carbon Black
• Cortex XDR

SIEM PLATFORMS

• Splunk
• Elastic/ELK Stack
• Microsoft Sentinel
• QRadar (coming soon)
• LogRhythm (coming soon)

NETWORK TOOLS

• Zeek/Bro
• Wireshark (coming soon)
• Suricata (coming soon)
• Palo Alto (coming soon)


💡 PRO TIP: Bookmark this page for quick reference during incident response. All queries are tested and production-ready.

>> CROWDSTRIKE FALCON HUNTING


EDR CLOUD


📁 Search for Specific Files
Navigation Path:
Investigate → Event Search → Advanced Mode
Steps:
  1. Navigate to InvestigateEvent Search
  2. Click Edit as Query to enter advanced mode
  3. Use the query below to search for files
  4. Adjust time range (default: 24 hours)
  5. Click Run Query
KUSTO QUERY 
DeviceEvents
| where Timestamp > ago(7d)
| where FileName =~ "suspicious.exe"
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessFileName
| order by Timestamp desc
💡 PRO TIP: Use =~ for case-insensitive matching. Use == for exact case-sensitive matching.
⚙️ Hunt for Running Processes
KUSTO QUERY 
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe")
| where ProcessCommandLine contains "invoke"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc
💡 PRO TIP: Use contains for substring matching, has for whole word matching.
🌐 Network Connections to External IPs
KUSTO QUERY 
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIPType == "Public"
| where RemotePort in (22, 443, 8080)
| summarize ConnectionCount=count() by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| where ConnectionCount > 10
| order by ConnectionCount desc
🔐 Failed Login Attempts
KUSTO QUERY 
DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonFailed"
| summarize FailedAttempts=count() by DeviceName, AccountName, LogonType
| where FailedAttempts >= 5
| order by FailedAttempts desc
🔑 Registry Key Modifications
KUSTO QUERY 
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("Run", "RunOnce", "Startup")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| order by Timestamp desc
⚠️ PERFORMANCE WARNING: Queries spanning more than 30 days may timeout. Use time filters aggressively for faster results.

>> CHECKPOINT HARMONY ENDPOINT


EDR ON-PREM/CLOUD


📁 Search for Files
Navigation Path:
Endpoints → Forensics → File Search
Steps:
  1. Navigate to EndpointsForensics
  2. Click File Search tab
  3. Enter file name or path in search box
  4. Select target endpoints or use "All Endpoints"
  5. Choose search criteria:
    • File Name: Exact or wildcard (*suspicious*.exe)
    • File Path: Full path or partial
    • File Hash: MD5, SHA1, or SHA256
  6. Click Search and wait for results
💡 PRO TIP: File search can take 5-10 minutes for large deployments. Use hash search for faster, more accurate results.
EXAMPLE SEARCH 
File Name: *mimikatz*
File Path: C:\Users\*\Downloads\*
File Hash: 4a5e9b8c7d6f3a2b1c0d9e8f7a6b5c4d
⚙️ Process Investigation
Navigation Path:
Endpoints → Forensics → Process Investigation
Steps:
  1. Go to ForensicsProcess Investigation
  2. Select time range (last 24h, 7 days, custom)
  3. Filter by:
    • Process Name: powershell.exe, cmd.exe, etc.
    • Command Line: Partial command line search
    • Parent Process: Filter by parent process
    • User: Filter by account name
  4. Review process tree for suspicious parent-child relationships
🌐 Network Activity Investigation
Navigation Path:
Endpoints → Forensics → Network Activity
Steps:
  1. Navigate to Network Activity tab
  2. Select endpoint(s) to investigate
  3. Filter by:
    • Remote IP: Specific external IP
    • Remote Port: 22, 443, 3389, etc.
    • Protocol: TCP, UDP
    • Process: Which process initiated connection
  4. Look for unusual ports or foreign IPs
  5. Export results to CSV for further analysis
💡 PRO TIP: Use the "Group by Remote IP" view to identify beaconing behavior - repeated connections to the same IP at regular intervals.
📊 Event Correlation Query
Navigation Path:
Logs & Reports → Event Viewer
Advanced Query Builder:
  1. Click Advanced Query
  2. Build query with multiple conditions: 
    Event Type: Process Creation
AND Process Name: contains "powershell"
AND Command Line: contains "bypass"
Time Range: Last 7 days
  3. Add additional filters as needed
  4. Save query for reuse
⚠️ IMPORTANT: Checkpoint Harmony requires endpoints to be online for real-time forensics. Offline endpoints won't return results.

>> MICROSOFT DEFENDER FOR ENDPOINT


EDR CLOUD


🔍 Advanced Hunting - File Search
Navigation Path:
Hunting → Advanced Hunting
KQL QUERY 
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "suspicious.exe" or SHA256 == "hash_here"
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessFileName
| order by Timestamp desc
⚙️ PowerShell Execution Hunting
KQL QUERY 
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("bypass", "encodedcommand", "invoke-expression")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
🌐 Suspicious Network Connections
KQL QUERY 
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIPType == "Public"
| where RemotePort in (22, 3389, 4444, 5555)
| extend GeoInfo = geo_info_from_ip_address(RemoteIP)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, Country=tostring(GeoInfo.country)
| order by Timestamp desc
💡 PRO TIP: Use the geo_info_from_ip_address() function to enrich your queries with geographic data automatically.

>> SPLUNK HUNTING


SIEM ON-PREM/CLOUD


📁 Search for Files in Sysmon Logs
SPL QUERY 
index=windows EventCode=11
| search TargetFilename="*suspicious.exe*"
| table _time, Computer, TargetFilename, Image, Hashes
| sort - _time
⚙️ Process Execution Hunting
SPL QUERY 
index=windows EventCode=1
| search Image="*powershell.exe" CommandLine="*bypass*"
| table _time, Computer, Image, CommandLine, User, ParentImage
| sort - _time
| head 100
🌐 Network Connection Analysis
SPL QUERY 
index=windows EventCode=3
| search DestinationPort IN (22, 443, 3389)
| stats count by Computer, DestinationIp, DestinationPort, Image
| where count > 10
| sort - count
📊 Statistical Anomaly Detection
SPL QUERY 
index=windows EventCode=1
| bucket _time span=1h
| stats count by _time, Computer, Image
| eventstats avg(count) as avg, stdev(count) as stdev by Computer, Image
| eval threshold = avg + (2 * stdev)
| where count > threshold
| table _time, Computer, Image, count, threshold
💡 PRO TIP: This query identifies processes executing at rates 2 standard deviations above normal - excellent for detecting beaconing or automated attacks.

>> ELASTIC/ELK STACK HUNTING


SIEM OPEN-SOURCE


🔍 Kibana Query Language (KQL)
Navigation Path:
Discover → Add Filter
KQL QUERY 
event.code: 1 AND process.name: "powershell.exe" AND process.command_line: (*bypass* OR *encodedcommand*)
📊 Lucene Query Syntax
LUCENE QUERY 
event.code:11 AND file.name:*.exe AND file.path:*\\Temp\\*
Detection Engine Rule
EQL QUERY 
process where process.name == "powershell.exe" and 
  (process.command_line like "*bypass*" or 
   process.command_line like "*encodedcommand*")
💡 PRO TIP: Use EQL (Event Query Language) for complex correlation queries. It's more powerful than KQL for threat hunting.

>> SENTINELONE HUNTING


EDR CLOUD


🔍 Deep Visibility Query - File Search
Navigation Path:
Visibility → Deep Visibility
DEEP VISIBILITY QUERY 
EventType = "File Creation" AND TgtFileName ContainsCIS "suspicious.exe"
⚙️ Process Execution Query
DEEP VISIBILITY QUERY 
EventType = "Process Creation" AND (
  SrcProcName ContainsCIS "powershell.exe" OR 
  SrcProcName ContainsCIS "cmd.exe"
) AND SrcProcCmdLine ContainsCIS "bypass"
💡 PRO TIP: Use ContainsCIS for case-insensitive contains, Contains for case-sensitive.

>> MICROSOFT SENTINEL


SIEM CLOUD


🔍 KQL Hunting Queries
Navigation Path:
Hunting → Queries → New Query
KQL QUERY 
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4688
| where Process has "powershell.exe"
| where CommandLine has_any ("bypass", "encodedcommand")
| project TimeGenerated, Computer, Account, Process, CommandLine
📊 Cross-Table Correlation
KQL QUERY 
let suspiciousProcesses = 
    SecurityEvent
    | where EventID == 4688
    | where Process has "powershell.exe"
    | project TimeGenerated, Computer, Account;
let networkConnections = 
    CommonSecurityLog
    | where DeviceVendor == "Palo Alto Networks"
    | project TimeGenerated, Computer=SourceIP;
suspiciousProcesses
| join kind=inner (networkConnections) on Computer
| where abs(datetime_diff('minute', suspiciousProcesses.TimeGenerated, networkConnections.TimeGenerated)) < 5

>> ZEEK/BRO NETWORK HUNTING


NETWORK OPEN-SOURCE


🌐 HTTP Log Analysis
ZEEK-CUT COMMAND 
cat http.log | zeek-cut id.orig_h id.resp_h method host uri | grep -i "suspicious"
🔐 SSL/TLS Certificate Hunting
ZEEK-CUT COMMAND 
cat ssl.log | zeek-cut id.orig_h id.resp_h server_name | grep -v "google.com\|microsoft.com\|amazon.com"
📊 DNS Query Analysis
ZEEK-CUT COMMAND 
cat dns.log | zeek-cut id.orig_h query | sort | uniq -c | sort -rn | head -20
💡 PRO TIP: Pipe Zeek logs into jq for JSON parsing if you're using JSON output format: cat conn.log | jq -r '. | select(.duration > 3600)'