{"id":80172,"date":"2017-10-18T09:01:47","date_gmt":"2017-10-18T16:01:47","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=80172"},"modified":"2025-06-06T02:02:20","modified_gmt":"2025-06-06T09:02:20","slug":"tips-effective-threat-hunting","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/","title":{"rendered":"Tips for Effective Threat Hunting"},"content":{"rendered":"<p><em>This blog was co-written by Ramnath Venugopalan.<\/em><\/p>\n<p>In May, McAfee surveyed more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities. You can read the full study: <a href=\"https:\/\/www.mcafee.com\/common\/js\/asset_redirect.html?utm_campaign=OO_ES_17Q3&amp;utm_source=mcafeeblog&amp;utm_medium=social&amp;eid=17OO_ESNAQ3_WP_SO_ST&amp;elqCampaignId=20037&amp;url=https:\/\/www.mcafee.com\/us\/resources\/reports\/rp-disrupting-disruptors.pdf\" target=\"_blank\" rel=\"noopener\"><em>Disrupting the Disruptors, Art or Science?<\/em><\/a><em> Understanding the role of threat hunters and continuing evolution of the SOC in cybersecurity.<\/em><\/p>\n<p>At the MPOWER Cybersecurity Summit, Oct. 17\u201319 in Las Vegas, McAfee will discuss the results of this survey and explain how our products can help customers run a next-level security operations center. We will also cover trends among threat hunters and answer questions such as:<\/p>\n<ul>\n<li>What are a threat hunter\u2019s core tools?<\/li>\n<li>What level is your environment in the threat hunting maturity scale?<\/li>\n<li>Do you want to improve on that scale?<\/li>\n<li>What are top-tier SOCs doing that low-level SOCs are not?<\/li>\n<\/ul>\n<h2>One thing top-tier SOCs do is use six core logs to identify attacks:<\/h2>\n<ul>\n<li>DNS logs are one of the best sources of data within an organization. They should be compared with the various threat intelligence sources and mined for information.<\/li>\n<li>Proxy logs are useful for exfiltration detection and forensics, identifying potential phishing attempts and suspicious domains, and identifying control server domains.<\/li>\n<li>SMTP logs are useful but they do not necessarily capture all details due to privacy restrictions around email content. We can use them to capture header information, though not data on attachments or embedded links.<\/li>\n<li>Windows logs can be a very rich source of data. They can also be very noisy and come in several flavors. Timeline analysis can best leverage these logs, and overlaying the other logs we describe is the key to leveraging this information. Each Windows log sheds light on a different part of the puzzle. Some of the most valuable are:\n<ul>\n<li>Authentication logs<\/li>\n<li>Security logs<\/li>\n<li>Application logs<\/li>\n<li>System logs<\/li>\n<\/ul>\n<\/li>\n<li>DHCP logs are temporal entries that require timeline matching to correlate with log entries from other sources.<\/li>\n<li>VPN logs are also temporal entries that require timeline matching to correlate with log entries from other sources. They are useful for detecting the theft of credentials.<\/li>\n<\/ul>\n<p>Each of these logs provide insight for specific parts of the incident response process. This talk will walk through each log and identify the key insights that can be identified with specific data in that log as well as useful automation.<\/p>\n<p>Are you collecting these logs?\u00a0That\u2019s only half the battle.\u00a0Join us at MPOWER as we look at recent advanced persistent threats campaigns and show how these six logs can help identify breaches and create mitigations.<\/p>\n<p>For more on Threat Hunting and for updates from MPOWER17, follow us on Twitter <a href=\"https:\/\/twitter.com\/mcafee_labs\" target=\"_blank\" rel=\"noopener\">@McAfee_Labs<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog was co-written by Ramnath Venugopalan. In May, McAfee surveyed more than 700 IT and security professionals around the&#8230;<\/p>\n","protected":false},"author":944,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[5231,5142,5101],"coauthors":[5236],"class_list":["post-80172","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-mpower17","tag-socs","tag-threat-hunting"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Tips for Effective Threat Hunting<\/title>\n<meta name=\"description\" content=\"McAfee surveyed more than 700 IT and security professionals to better understand how threat hunting is used in organizations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tips for Effective Threat Hunting\" \/>\n<meta property=\"og:description\" content=\"McAfee surveyed more than 700 IT and security professionals to better understand how threat hunting is used in organizations.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-10-18T16:01:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T09:02:20+00:00\" \/>\n<meta name=\"author\" content=\"Nina Smith\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ninaksecurity\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nina Smith\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/\"},\"author\":{\"name\":\"Nina Smith\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/514166f01d03b1af292d6b8a16b1b233\"},\"headline\":\"Tips for Effective Threat Hunting\",\"datePublished\":\"2017-10-18T16:01:47+00:00\",\"dateModified\":\"2025-06-06T09:02:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/\"},\"wordCount\":454,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"MPOWER17\",\"SOCs\",\"threat hunting\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/\",\"name\":\"Tips for Effective Threat Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2017-10-18T16:01:47+00:00\",\"dateModified\":\"2025-06-06T09:02:20+00:00\",\"description\":\"McAfee surveyed more than 700 IT and security professionals to better understand how threat hunting is used in organizations.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Tips for Effective Threat Hunting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/514166f01d03b1af292d6b8a16b1b233\",\"name\":\"Nina Smith\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/2b60022de2fb73531a9566536421d908\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/Nina-Smith-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/Nina-Smith-96x96.jpg\",\"caption\":\"Nina Smith\"},\"description\":\"Nina Smith is a Product Manager over McAfee Enterprise Security Manager. She oversees integrations as they pertain to ESM. Nina also works with the McAfee Security Innovation Alliance to enlist high value partners which help extend the McAfee product portfolio. She has been with McAfee since 1999 and is based out of Plano, Texas.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/nina-smith-03a9944\/\",\"https:\/\/x.com\/ninaksecurity\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/nina-smith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tips for Effective Threat Hunting","description":"McAfee surveyed more than 700 IT and security professionals to better understand how threat hunting is used in organizations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Tips for Effective Threat Hunting","og_description":"McAfee surveyed more than 700 IT and security professionals to better understand how threat hunting is used in organizations.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-10-18T16:01:47+00:00","article_modified_time":"2025-06-06T09:02:20+00:00","author":"Nina Smith","twitter_card":"summary_large_image","twitter_creator":"@ninaksecurity","twitter_site":"@McAfee","twitter_misc":{"Written by":"Nina Smith","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/"},"author":{"name":"Nina Smith","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/514166f01d03b1af292d6b8a16b1b233"},"headline":"Tips for Effective Threat Hunting","datePublished":"2017-10-18T16:01:47+00:00","dateModified":"2025-06-06T09:02:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/"},"wordCount":454,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["MPOWER17","SOCs","threat hunting"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/","name":"Tips for Effective Threat Hunting","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2017-10-18T16:01:47+00:00","dateModified":"2025-06-06T09:02:20+00:00","description":"McAfee surveyed more than 700 IT and security professionals to better understand how threat hunting is used in organizations.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/tips-effective-threat-hunting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Tips for Effective Threat Hunting"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/514166f01d03b1af292d6b8a16b1b233","name":"Nina Smith","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/2b60022de2fb73531a9566536421d908","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/Nina-Smith-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/Nina-Smith-96x96.jpg","caption":"Nina Smith"},"description":"Nina Smith is a Product Manager over McAfee Enterprise Security Manager. She oversees integrations as they pertain to ESM. Nina also works with the McAfee Security Innovation Alliance to enlist high value partners which help extend the McAfee product portfolio. She has been with McAfee since 1999 and is based out of Plano, Texas.","sameAs":["https:\/\/www.linkedin.com\/in\/nina-smith-03a9944\/","https:\/\/x.com\/ninaksecurity"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/nina-smith\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/80172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/944"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=80172"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/80172\/revisions"}],"predecessor-version":[{"id":215189,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/80172\/revisions\/215189"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=80172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=80172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=80172"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=80172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}