Cyber Threat Hunting Workshop

This course covers the fundamentals of building or refining a hunt program in your own environment around a defined process; how to create consistent practices to identify, define, and execute a hunt mission; and how to measure success of your hunting program.

The Cyber Threat Hunting Workshop is a three-day in-class training on threat hunting. Customers starting a hunting program will be advised on how to shape a sustainable hunting program. Customers with existing Hunt Programs will learn how to incorporate a repeatable, flexible, and efficient process around existing hunting activities and build consistent practices that is intelligence-led, as well as measure the capability for success.

On day one,  customers learn to be proactive in threat detection, build out a process workflow, and understand how to develop and enrich use cases leveraging Cyber Threat Intelligence.

On days two and three,  the training bridges essential concepts for network and endpoint hunting and then allows learners to apply techniques to hunt for anomalous patterns. Hands-on activities follow real-world use cases to identify attacker techniques. Learners will leave the course with concrete use cases that they can leverage to hunt in their own environment.

Throughout the workshop, FireEye consultants share case studies from the field, leveraging their knowledge and experience. Instructors provide guidance on hunting across typical security toolsets such as SIEM, packet capture, and EDR; learners attending the course do not need a prior knowledge of specific FireEye technology to benefit from the instruction, however, lab activities are leveraged on the following FireEye  technologies: FireEye Helix, FireEye Endpoint Security and FireEye Network Forensics. For example, Endpoint Hunting use cases leverage either FireEye Endpoint Security, or Helix, or both, to acquire data used in the Hunt Mission.

Learning Objectives

After completing this course, learners should be able to:

  • Define Cyber Threat Hunting and articulate its value to an organization
  • Create or enhance an existing hunting program through an intelligence-led process
  • Build out a repeatable, consistent, and efficient Hunting framework
  • Develop hunting use cases based on an organization’s threat profile
  • Leverage both endpoint and network data for successful hunting
  • Implement a hunting mission to hunt, find, and automate the hunting process
  • Measure the capability and success of a hunting program

Course Description

Attacks against enterprises continue to increase in frequency and sophistication. To proactively detect and defend data and intellectual property, organizations must have the ability to proactively find threats without relying solely on security products for detection.

This intensive three-day course is designed to coach learners in developing or maturing their hunting program and to teach fundamental hunting techniques needed to execute that hunting program successfully. Customers will learn how to build consistent practices that are based on their organization’s threat profile and how to measure the success of their hunting program. Customers looking to create a hunting program will be advised on how to shape a sustainable program. Customers with existing programs will learn how to incorporate a repeatable, flexible, and efficient process around existing hunting activities.

Students will learn how to develop hunting use cases following uses cases based on Cyber Threat Intelligence and their organization’s threat profile. The technical portion of the course focuses on the hunting techniques needed to find attackers in today’s landscape of threat actors and intrusion scenarios. Built on real-world use cases and the latest threats, the course is comprised of a series of hands-on labs that highlight hunting in each phase of a targeted attack.

Through sample use cases, students will learn to identify artifacts left by specific techniques, define data collection and identify opportunities for automation, and execute hunt missions. This course includes six hunting use cases, for example, Event Log ClearingRDP Tunneling and others. Each use case follows the hunting process by presenting a hunt mission and providing artifacts for hands-on analysis in a lab environment. Use cases begin with separate hunt missions for network and endpoint, then build to two final use cases that require analysis in both areas.

 Instructor-Led Training

Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.

Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.

Who Should Attend

Customers who wish to build a hunting program or refine an existing hunting program will benefit from this course. The combination of technical content and threat intelligence is intended for students with any combination of incident response, forensic analysis, network traffic analysis, log analysis, security assessments, penetration testing, and/or intelligence analysis. It is also well suited for those managing Incident Response or Hunt teams or in roles that require oversight of cyber threat hunting and other investigative tasks.


3 days


Completion of Endpoint Investigations instructor-led course or an equivalent foundation in incident response; a working understanding of networking and network security, the Windows operating system, file system, registry and regular expressions, and basic experience scripting in Python (or similar) language.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1: Hunt Mission Framework

  1. Foundations
    • Define Hunting
    • Bridge the Divide with Hunting 
    • Realize Operational and Business Value 
    • Integrate Hunt Capability into Conventional Cyber Security Operations
    • Operational Drivers 
    • Gap Analysis 
  2. Hunt Mission Process
    •  Hunting Process Framework
    • Hypothesis Development
    • Stages of Hunting
    • Process Inputs and Outputs
    • Developing Threat Summaries

Day 2 & 3: Hunt Use Case Application

  1. Introduction to Hunting
    • Types of Hunting
    • Hunting Process
    • Defining Hunt Missions
    • Creating a Hunt Program
  2. Acquiring and Analyzing Endpoint Data at Scale
    • Operating System Technology ReviewSearching and pivoting
    • Malware Hiding Techniques
    • Uncovering Internal Reconnaissance
    • Uncovering Lateral Movement
    • Data Acquisition Techniques
  3. Acquiring and Analyzing Network Data at Scale
    • Network Technology Review
    • Tunneling Techniques
    • Suspicious HTTP Traffic
    • Data Acquisition Techniques

Hunting Use Cases

This course includes six hunting use cases. Each case has the followijg format:

  • Technology Review
  • Real-world Threats 
  • Hunt Mision
  • Data Collection and Hunt Execution
  • Analysis
  • Refining the Hunt Mission
Scroll to Top