← threat hunter

Network Threat Hunting — Beacons, Long Connections, DNS, TLS

advanced 5h

Hunt for adversary network behavior proactively — beaconing C2, DNS tunnelling, JA3 anomalies, and long-tail connections — before any alert fires. Convert findings to Sigma rules.

After this module you will

  • Map every network log type to the hunter hypothesis it answers
  • Run a statistically rigorous beacon hunt using interval analysis and byte-size signatures
  • Hunt DNS anomalies (DGA, tunnelling, fast-flux) from hypothesis to confirmed finding
  • Build a JA3/JA4 rarity baseline and identify anomalous TLS clients
  • Convert a confirmed hunt finding into a Sigma detection rule

Module Quiz

Test your knowledge before moving on.

Take Quiz →