* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Threat Hunting to Find th...

# Threat Hunting to Find the Good Stuff

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2023%2F10%2Fthreat-hunting-to-find-the-good-stuff%2F)  
[](https://twitter.com/share?text=Threat+Hunting+to+Find+the+Good+Stuff&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2023%2F10%2Fthreat-hunting-to-find-the-good-stuff%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2023%2F10%2Fthreat-hunting-to-find-the-good-stuff%2F&title=Threat+Hunting+to+Find+the+Good+Stuff&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2023/10/threat-hunting-to-find-the-good-stuff/&ts=markdown)  
\[\](mailto:?subject=Threat Hunting to Find the Good Stuff)  
Link copied  
By [Dena De Angelo](https://www.paloaltonetworks.com/blog/author/ddeangelo/?ts=markdown "Posts by Dena De Angelo")  
Oct 17, 2023  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[cybersecurity strategy](https://www.paloaltonetworks.com/blog/tag/cybersecurity-strategy/?ts=markdown)  
[Interview](https://www.paloaltonetworks.com/blog/tag/interview/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)  
[This is how we do it](https://www.paloaltonetworks.com/blog/tag/this-is-how-we-do-it/?ts=markdown)  
[Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown)

In the final episode of Season One of ["This is How We Do It,"](https://www.paloaltonetworks.com/blog/tag/this-is-how-we-do-it/) Peter Havens from Cortex product marketing sits down with Leeroy Perera, staff security engineer. They discuss the practice of threat hunting and how we apply it in our SOC. In this interview, we gain valuable insights into why threat hunting is vital, its unique approach at Palo Alto Networks, and how it contributes to keeping the company and our customers safe from cyberattacks.

Palo Alto Networks, with its extensive reach to protect numerous organizations and individuals worldwide, is an attractive target for cyberattackers. To combat this threat, Leeroy emphasizes the significance of threat hunting. He defines it as a complementary task that goes beyond generic threat detection and response. While XSIAM or XDR handles generic threat detection for all customers, threat hunting at Palo Alto Networks focuses on crafting hunts that align with the company's distinct requirements. Leeroy's team curates threat hunts that address business-specific criteria, ensuring that Palo Alto Networks remains safeguarded against threats uniquely relevant to its environment.

Peter kicks the interview off by asking point blank, "Can't we just rely on the threat detection and response products to identify all threats and prevent them?"

Leeroy responds:

*"Well not necessarily. Hunting is a complementary task that is coming in and trying to look at something that is business-specific and not to go and look at the detections that are already brought into all of the customers. We are trying to look at what is going on in Palo Alto Networks and being very specific to what Palo Alto Networks needs and what the SOC needs to alert on."*

## Distinguishing Threat Hunting Services

Palo Alto Networks also offers a [Managed Threat Hunting (MTH) service](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting) through Unit 42, which specializes in tracking the latest threat activity and adversarial tactics. Leeroy clarifies that this service is distinct from their in-house threat hunting efforts. While Unit 42 monitors evolving threat actors and tactics, Palo Alto Networks concentrates its internal threat hunting on the organization's specific needs and concerns. He states, "The MTH or Managed Threat Hunting services is providing that service, but they're doing it on a broader level. They're looking at the adversary in a different way. Looking at the tactics and techniques that they're utilizing."

Threat hunting is essentially a hypothesis-driven approach. It begins with an idea or theory about potentially malicious activity within the company's environment. This theory is then transformed into a query using the XQL query language within Cortex XSIAM to consolidate various datasets, including endpoint, network and identity data logs. Joining data datasets refines the result into something that more richly contains threats, (i.e., "the good stuff"). Peter examines further:

*"So your job is to create these theories, these hypotheses, and refine those into something that produces a rich dataset. And when you've got that, you hand that off to the security analysts to go and pursue those potential threats. They probably love you since you're feeding them with rich datasets to actually go and find real potential malicious activity within the company."*

## Refining the Hypothesis

Creating an effective query requires significant refinement. Initially, the results may be too vast to handle effectively. Leeroy's team employs mechanisms like exclusion, deduplication and data joining to reduce the dataset's size while retaining valuable information. The goal is to generate a manageable dataset that is rich with potential threats.

Example: Our hypothesis --- Office Files Communicating Externally

To achieve the refined dataset, we break down the process by taking the following questions into consideration:

* How many Office files were found in the organization?
  * How many of the files were found to run scripts (i.e., Powershell, VBA)?
    * How many of those files exhibit the behavior of external communication?
      * How many of those external communications were also identified by the firewall?

Once a refined dataset is prepared, it's passed on to security analysts. These analysts take the data and investigate it further, ultimately leading to the identification of potential threats. Leeroy emphasizes that this collaboration between threat hunters and analysts is critical for effective threat hunting.

The outcome of a successful threat hunt isn't limited to threat identification. Leeroy mentions that their team can create custom detection and correlation rules:

"So we actually can create correlation rules ourselves. We create those, and then we test them for us. But then the product team can take our correlation rule and then use that in a broad way."

These rules can then be used to enhance threat detection capabilities within the Cortex portfolio.

## A Real-World Example: Unsigned DLLs

To illustrate the concept, Leeroy shares an example of a threat hunt involving unsigned dynamic-link libraries (DLLs) communicating with new domains since "the probability of a young domain communicating with an unsigned DLL is highly suspicious."

The hypothesis was that these unsigned DLLs might be engaging in questionable activity. By focusing on this specific scenario and refining the query, they could effectively pinpoint potential threats, reinforcing the value of threat hunting.

## Code Access and Threat Hunting

The unique needs of Palo Alto Networks extend to code access and source code downloading, given the organization's involvement in software development. Leeroy explains that they consider behaviors surrounding code access as part of their threat hunting efforts. Behavior examples:

* Repo downloads/uploads
* Suspicious access patterns
* New members (account) addition

In conclusion, threat hunting is an indispensable practice at Palo Alto Networks. It goes beyond traditional threat detection, addressing business-specific concerns and providing a proactive stance against cyberthreats. Leeroy and his team play a crucial role in crafting hypotheses, refining queries and collaborating with security analysts to keep Palo Alto Networks secure. Their approach not only identifies potential threats but also contributes to the development of enhanced detection rules, ultimately bolstering the organization's cybersecurity defenses.

As cybersecurity practitioners, you can draw inspiration from our Palo Alto Networks threat hunting methodology to tailor your strategies to the unique needs of your organization. Ensure a proactive defense against evolving cyberthreats.

#### Watch their [full interview](https://www.youtube.com/watch?v=eCE7Z4-f1WY) on our Cortex YouTube channel.

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Artificial Intelligence --- Beyond the Algorithms](https://origin-researchcenter.paloaltonetworks.com/blog/2023/09/artificial-intelligence-beyond-the-algorithms/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### This Is How We Do It --- Season One Recap](https://origin-researchcenter.paloaltonetworks.com/blog/2023/11/this-is-how-we-do-it-season-one/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Data --- The Lifeblood of Security and Detection Engineering](https://origin-researchcenter.paloaltonetworks.com/blog/2023/09/security-and-detection-engineering/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Hasta La Vista Human Powers --- Automating the Automation](https://origin-researchcenter.paloaltonetworks.com/blog/2023/05/automating-the-automation/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Beyond the Hype --- Where AI Can Shine in Security](https://origin-researchcenter.paloaltonetworks.com/blog/2024/01/where-ai-can-shine-in-security/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Multiplying Force with Automation --- Reducing the Soul Crushing Work](https://origin-researchcenter.paloaltonetworks.com/blog/2023/08/multiplying-force-with-automation/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language