Skip to content

How do you decide which log sources and telemetry you need to hunt effectively?

Short answer

Start from the techniques you want to detect, then work backwards to the telemetry that reveals them — ATT&CK's data sources mapping helps. In practice the highest-value sources are endpoint process/command-line and module-load telemetry (EDR/Sysmon), authentication and identity logs, DNS and proxy/network flow, and cloud control-plane logs. You then audit what you actually collect and retain versus what each technique needs, exposing visibility gaps. A technique you cannot see in any log is not huntable yet.

You cannot hunt for what you cannot see. The first question in any hunt is not "what query do I run" but "do I even have the data that would reveal this behaviour, with enough fidelity and retention?"

Start from technique, not from data

Work backwards. Pick the techniques you care about — ATT&CK maps each one to the data sources that expose it (process creation, command execution, module load, logon, network connection, file creation). That mapping turns "what logs do I need" into a concrete shopping list driven by threat, not by whatever happens to be flowing into the SIEM.

The high-value sources

  • Endpoint — process creation with full command line, parent/child relationships, module/DLL loads, and registry/file events. EDR or Sysmon. This is where most attacker behaviour becomes visible.
  • Identity and authentication — Windows logon events, Entra ID / Okta sign-in logs, Kerberos activity. Essential for credential abuse and lateral movement.
  • Network — DNS queries, proxy/web logs, and flow data for C2 and exfiltration.
  • Cloud control plane — CloudTrail, Azure activity logs, audit logs for cloud TTPs.

Audit the gaps

Compare what each target technique needs against what you actually collect and retain. Command-line logging off? You are blind to LOLBins. 7-day retention? You miss slow-burn intrusions. Document these gaps as findings.

Why this matters

Interviewers want to see that you reason from threat to telemetry and that you treat visibility gaps as first-class problems — not someone who assumes the data is already there.

Likely follow-ups

  • Why is process command-line logging so valuable, and how do you enable it?
  • How do retention limits constrain what you can hunt for?
  • What does an ATT&CK data-source-to-technique mapping give you?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.