During a post-mortem meeting, the SOC manager points out that relying solely on SIEM alerts still leaves "blind spots" where sophisticated attackers can lurk undetected. She asks the team to begin a process in which analysts develop hypotheses, manually query endpoint and network telemetry, and iterate through data to uncover adversary tactics that have not yet generated any alerts. Which of the following activities is she describing?
Aggregating external threat-intelligence feeds into the SIEM for automated correlation
Launching an incident-response process immediately after an IDS signature fires
Conducting a proactive threat hunt to identify adversary activity that evaded existing controls
Performing routine alert triage based on SIEM detections and escalating confirmed incidents
The manager is describing threat hunting-a proactive, hypothesis-driven search across telemetry to discover malicious behavior that has evaded automated controls. Threat hunters deliberately look for indicators and TTPs without waiting for existing signatures or alerts. Aggregating threat-intel feeds, routine SIEM alert triage, or kicking off incident response after an IDS alert are reactive or automated processes, not threat hunting.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What distinguishes threat hunting from automated threat detection?
Open an interactive chat with Bash
What are TTPs in the context of threat hunting?
Open an interactive chat with Bash
Why is threat hunting considered a proactive approach to cybersecurity?