← threat hunter
Take Quiz →
Network Threat Hunting — Beacons, Long Connections, DNS, TLS
advanced 5h
Hunt for adversary network behavior proactively — beaconing C2, DNS tunnelling, JA3 anomalies, and long-tail connections — before any alert fires. Convert findings to Sigma rules.
After this module you will
- › Map every network log type to the hunter hypothesis it answers
- › Run a statistically rigorous beacon hunt using interval analysis and byte-size signatures
- › Hunt DNS anomalies (DGA, tunnelling, fast-flux) from hypothesis to confirmed finding
- › Build a JA3/JA4 rarity baseline and identify anomalous TLS clients
- › Convert a confirmed hunt finding into a Sigma detection rule
Lessons
1 The Network Hunter's Data Model — What Each Log Answers
25 min 2 Beacon Hunting — Interval Analysis, Jitter, and Byte Signatures
30 min 3 DNS Hunting — DGA, Tunnelling, and Fast-Flux from Hypothesis to Finding
25 min 4 TLS Hunting — JA3/JA4 Rarity, Certificate Metadata, and SNI Anomalies
25 min 5 Hunt Report to Detection — Converting Findings to Sigma
20 min Module Quiz
Test your knowledge before moving on.