Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
Hunting Architecture: How to Build a Modern SOC That Doesn’t Just Look, But Sees (Extended Version)
Published: 18:26 01/02/2026
Cyberbezpieczeństwo
Average Breakout Time – the time hackers need from initial compromise to beginning lateral movement – is often less than two hours. Some adversaries do it in minutes.
If your SOC (Security Operations Center) relies on manually reviewing alerts generated by static rules, you have lost the race before you even got out of your chair. We must build a system that is unpleasant for the attacker, not for the analyst.
Here is the extended architecture of proactive Threat Hunting.
Phase 1: Data Hygiene (What no one wants to do, but everyone must)
Most SIEM projects fail not because of a lack of expensive tools, but because of a mess in the data. Imagine trying to find a "suspicious man," but one witness describes him in French, another in Japanese, and the third only gives his shoe size.
1. Normalization is Your Esperanto
I mentioned ECS (Elastic Common Schema) and OCSF. Let's expand on that. Normalization is not just field mapping; it is value unification.
- Example: Is the login event "Logon," "Login," "SessionStart," or ID 4624? Your SIEM must boil it all down to a single value:
event.action: "authentication_success". - Why it's critical: This allows an analyst to write one query that covers Windows, Linux, cloud, and SQL databases. Without this, Threat Hunting is a battle against semantics, not the hacker.
2. Enrichment with Business Context
Technical context (GeoIP) is foundational. But the real magic happens when you add business context.
- Your logs should know that user
j.kowalskiis not just a "User," but a "Domain Administrator" or "CFO." - The system must know that server
SRV-005processes payment card data (PCI DSS). - The Principle: An alert regarding a test server is "information." The same alert regarding a domain controller is a "fire." The SIEM must know this difference before waking up the analyst at night.
Phase 2: Detection Strategy (Going Beyond Signatures)
This is where David Bianco's Pyramid of Pain comes in.
Most systems focus on the bottom of the pyramid: file hashes, IP addresses, domains. These are easy to detect, but trivial for a hacker to change. Change the IP, and your rule is useless.
A modern SIEM must aim for the top of the pyramid: TTPs (Tactics, Techniques, and Procedures).
1. Behavioral Detection (UEBA)
Stop looking for "bad files." Start looking for "strange behaviors."
- Don't ask: "Does this file have a virus?"
- Ask: "Why is
winword.exe(Word) trying to spawnpowershell.exeand connect to the internet?" - This approach allows for the detection of zero-day attacks for which there are no signatures yet. Word opening PowerShell is always suspicious, regardless of which exploit was used.
2. Hunting Hypotheses
Threat Hunting is not about staring at a screen and waiting for inspiration. It is a scientific process.
- Hypothesis: "I think attackers might be using Pass-the-Hash to jump between servers."
- Experiment: "I'm searching Windows event logs for 4624 with logon type 3 and NTLM usage, where the source station is not an admin's workstation."
- Conclusion: Confirmation (incident) or negation (security).
Phase 3: Operationalization (Detection as Code)
If your detection rules only live in the clickable interface of your SIEM, you are a hostage to that vendor.
CI/CD for Security
Treat detection rules (e.g., YAML files in Sigma format) like application code:
- Commit: An analyst creates a new rule to detect Log4Shell.
- Test: An automated script checks if the rule is syntactically correct and doesn't generate a billion alerts on historical data.
- Deploy: The rule is automatically deployed to production.
This eliminates "configuration drift" and situations where someone accidentally disabled a key alert three months ago and no one noticed.
Phase 4: Tiering Architecture (Hot, Warm, Cold)
We must balance greed (wanting all the data) with economics (not having a NASA budget). Let's expand the storage model:
- Hot (NVMe/SSD): Last 7-14 days. This is where 90% of analyst queries happen. Responses must be instantaneous.
- Warm (HDD): Up to 3-6 months. Data is available, but a query might take a few minutes. Ideal for trend analysis and hunting "low and slow" (prolonged APT attacks).
- Cold/Frozen (S3/Tape): Years. Data is compressed, dirt cheap. We pull it only when the prosecutor or auditor knocks. Rehydrating it takes hours, but it costs pennies.
Real-World Example: Detection as Code in Practice
Theory sounds good, but what does it look like on the keyboard? Instead of clicking in a GUI, we write a rule. Here is an example of a simple rule in Sigma format, detecting Word spawning PowerShell (a classic Initial Access):
title: Suspicious PowerShell Child Process
id: 1234-5678-90ab-cdef
status: experimental
description: Detects PowerShell being spawned by Microsoft Word
author: Aleksander Security
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\winword.exe'
Image|endswith:
- '\powershell.exe'
condition: selection
level: high
tags:
- attack.execution
- attack.t1059.001
Such a file lands in a Git repository. An automation (CI/CD) converts it into a query understandable by your SIEM (e.g., Elastic DSL, Splunk SPL) and deploys it. Zero manual clicking.
What to Build With? (Open Source Stack)
You don't need a bank's budget to start. You can build a powerful SOC paying only for electricity and engineer time. Here is the modern Threat Hunter's "Starter Pack":
- Wazuh: The heart of the operation. Full EDR (agent-based) and SIEM. It collects logs, analyzes file integrity, and detects vulnerabilities.
- TheHive: The brain of the operation. An incident response platform (Case Management). This is where alerts land and where analysts document their investigations.
- MISP: The memory of the operation. A Threat Intelligence platform. This is where you store information about malicious IPs, domains, and hashes shared with the community.
- Cortex: The hands of the operation. An analysis engine that, at the request of TheHive, can "scan" a suspicious file on VirusTotal or check an IP in a reputation database.
Summary: People > Tools
Finally, the most important element, which isn't in any config file: the mindset.
The best SIEM is one that takes the burden of repetitive, boring work off humans (automation, filtering false positives), allowing them to do what AI is still poor at: connecting the dots, thinking creatively, and understanding context that isn't in the logs.
Don't build a data museum. Build a command center.
Aleksander
Sources:
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Cyberbezpieczeństwo
Security Operations Center (SOC): A Comprehensive Guide for 2026 | Building and Implementation
Learn everything about the Security Operations Center (SOC) - from team building, through SIEM/XDR/SOAR technologies, NIS2 requirements, and deployment models, to the future with AI. A practical guide for CISOs and IT managers.
07.12.2025
49 min
Cyberbezpieczeństwo
Stop Waiting for the Alarm. Why Your Network Needs a Hunter, Not Just a Guard
Traditional cybersecurity is waiting for a breach. Threat Hunting is meeting it halfway. Discover why paranoia (the controlled kind) is the healthiest strategy for your organization.
10.11.2025
13 min
Cyberbezpieczeństwo
The End of the "Console Clicking" Era. How SOAR and Agentic AI Save Us from Digital Burnout
SOC analysts are drowning in a data flood, wasting hours on false alarms. Is 2025 and the arrival of autonomous AI agents the moment machines finally let humans stop "chasing ghosts" and start thinking strategically?
05.11.2025
14 min
Comments
Loading comments...