Chapter 11

Hamlet Builds a Threat-Hunting Program at Denmark Cyber Defense

Hamlet, Threat Hunter at Denmark Cyber Defense, has been promoted to lead the firm's newly chartered detection-engineering and hunting program. The catalyst was an eleven-night insider incident he identified last quarter through behavioral anomaly scoring — an event that none of the standing detection rules had triggered on. The board read his post-incident write-up and decided the SOC needed to operate proactively, not just reactively.

Hamlet inherits a SIEM that ingests roughly 14 billion events per day from endpoints, firewalls, identity, cloud, and email — but whose detection rules were largely copied from the original vendor templates and have not been measured for false-positive rate in years. The SOC analyst queue receives over 500 alerts per shift, most of which get acknowledged without investigation because the analysts simply do not have time. Threat intelligence is being collected from three commercial feeds, two ISAC memberships, and CISA's automated indicator-sharing program, but indicators are being applied directly to the perimeter firewall blocklist with no scoring or aging — and last month a major SaaS provider's IP range got blocked for six hours because of a stale entry.

Hamlet's six-month plan must rebuild the data pipeline, modernize detection, formalize threat hunting, and bring threat-intelligence consumption under control.

Complete Hamlet's program plan by selecting the correct option for each blank.

Hamlet starts at the foundation. The SIEM is ingesting data from fifty different products in fifty different formats, which is why correlation across sources has historically failed. He standardizes the stage on OCSF so that authentication events from Active Directory, EDR process telemetry, and cloud audit logs can be joined on common user, host, and IP fields.

Next he reorganizes storage into — fast SSD for the last fourteen days where active investigation happens, object storage for the rest of the year, and cold archive beyond that — so query latency and retention cost are no longer one undifferentiated bill.

For detection, Hamlet adopts a workflow in which every rule lives in a Git repository, is reviewed like application code, is tested in staging against historical data, and has its false-positive rate measured weekly. He commits to the open vendor-neutral rule format so that the team can both consume community rules from SigmaHQ and contribute back.

To close the gap revealed by the insider case last quarter, Hamlet deploys a platform that builds per-user and per-entity baselines and surfaces statistical deviations the static rules would never have anticipated. Particularly powerful is its capability, which compares a finance analyst's access patterns against other finance analysts — surfacing access that is technically authorized but anomalous for the role.

Hamlet formalizes threat hunting as a structured, -driven activity. Each hunt begins with a specific testable claim about how an adversary would behave, draws on existing telemetry, and ends with one of three outcomes: an incident, a new detection rule that operationalizes what was learned, or documented evidence of coverage. To increase signal where the noise is highest, the team also deploys cheap decoy secrets — — in fileshares, developer home directories, and password vaults so that any interaction at all generates a high-confidence alert.

Finally, threat intelligence consumption is brought under control by inserting a between the external feeds and any enforcement point. It deduplicates indicators across feeds, ages them based on first-seen and last-seen dates, scores them by source fidelity, and enriches SIEM alerts with adversary context. Indicators flow downstream to the firewall, DNS resolver, and EDR through the platform's policy — never directly from the raw feed. The data model used to describe each indicator and its relationships to TTPs and campaigns is , and the transport that carries those bundles between the platform and external partners is .

Hamlet replaces the old vanity metric of 'events processed per day' on the executive dashboard with two outcome-oriented numbers: (the average time from initial compromise to detection) and the average time from detection to containment.