For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/

Threat hunting is all about finding anomalies that automated detection mechanisms don't find. That means manual anomaly detection, which sometimes means weeding out things that are normal. 2/

For example, let's say you discover a binary that runs in the middle of the night on a host and that's weird! So, you eventually search for the prevalence of that behavior and see it running on other hosts in that department. 3/

At the same time, you find this host talking to a weird internal system on an odd low port you haven't seen before. In this case, that behavior is nowhere else on the network. 4/

Eventually, you talk to an IT person or user in that department and find out the process is some special software they use and the weird system is a dedicated server for it, and it's all legit. Job's not done, though. 5/