1. What is Threat Hunting?

Threat Hunting is a proactive cybersecurity approach that consists of:

manually searching for hidden malicious activities
even when no automatic alert has been triggered.

Unlike traditional systems:
- SIEM → detects based on predefined rules
- Threat Hunting → human-driven investigation to uncover hidden threats

---

2. Purpose of this lab

This lab is designed to:
- identify silent or undetected attacks
- analyze logs in depth
- detect suspicious behaviors
- understand real SOC operations
- improve investigation skills

---

3. Objectives

By completing this lab, you will be able to:
- detect anomalies in logs
- interpret security data
- correlate multiple events
- identify hidden attacks
- produce an investigation report

---

4. Tools used

Main SIEM
Splunk Enterprise
→ log collection and analysis

Log sources
- Windows Event Logs
- Linux Syslog
- Network / Firewall logs

Endpoint security (optional)
Microsoft Defender for Endpoint
→ endpoint-level detection

Attack simulation tools
- Atomic Red Team
- Kali Linux

---

5. Splunk Interface – Tabs explained

Search & Reporting
main analysis workspace
run SPL queries
explore logs

Dashboard
visual overview
trends and statistics
security metrics

Alerts
automate detection
trigger notifications

Data Inputs
ingest data
connect log sources

Reports
generate reports
export results

Notables (advanced SIEM)
manage critical incidents
centralize investigations

---

6. Hands-on Lab – Step-by-step

STEP 1: Installation
1. Download Splunk Enterprise
2. Install on Windows or Linux
3. Start Splunk service
4. Access the interface:
http://localhost:8000
5. Create an admin account

STEP 2: Add logs
1. Go to Settings
2. Click Add Data
3. Select Monitor Files
4. Choose:
- Windows logs
- system logs
5. Confirm and finish setup

STEP 3: Access analysis
1. Open Search & Reporting
2. Use the search bar

STEP 4: Detect suspicious logins
Query:
index=security EventCode=4625

Output:
- failed login attempts
- suspicious activity

STEP 5: Deep analysis
1. Click on an IP address
2. Check:
- frequency of attempts
- targeted users
High repetition may indicate an attack

STEP 6: Event correlation
Query:
index=security (EventCode=4625 OR EventCode=4624)

Goal:
compare failed vs successful logins

STEP 7: Persistence detection
Query:
index=security EventCode=4698

Detect:
scheduled tasks (possible persistence)

STEP 8: Process analysis
Query:
index=security process_name=*.exe

Goal:
identify suspicious processes

STEP 9: Create dashboard
1. Go to Dashboard
2. Add:
- login failures
- system activity
- network traffic

Result:
global visibility

STEP 10: Create alert
1. Go to Alerts
2. Click Create Alert
3. Use condition:
EventCode=4625 | stats count by src_ip
4. Define threshold:
trigger alert if failures exceed a limit

STEP 11: Final report
Include:
- type of threat
- source (IP / host)
- evidence (logs)
- timeline
- impact
- recommendations

---

7. Final outcome

This lab enables you to:
- detect hidden attacks
- analyze real-world data
- understand SOC workflows
- implement monitoring strategies

---

8. Real-world application

This approach is used daily in:
- Security Operations Centers (SOC)
- large enterprises
- financial institutions
- cloud environments

---

9. Skills developed

- log analysis
- security investigation
- advanced detection
- SIEM proficiency
- attack understanding


 

 

 

 



 

     

      

      
 

      

      

 


 

 

 

       

          

 

Copyright © All rights reserved.

 

     
* Cybersecurity Analyst
* SOC Analyst
* Security Operations Center
* Cloud Security
* DevSecOps
* Information Security
* Cybersecurity Engineer
* Threat Detection
* Incident Response
* SIEM Monitoring

---

# 🛡️ 2. Mots-clés SOC (très importants pour recrutement)

* SOC Analyst Tier 1
* SOC Analyst Tier 2
* Security Monitoring
* Log Analysis
* Security Alerts
* Threat Hunting
* Malware Analysis
* Phishing Detection
* Brute Force Detection
* Incident Investigation
* Security Events
* Blue Team

---

# ☁️ 3. Mots-clés Cloud Security

* Cloud Security Engineer
* AWS Security
* Azure Security
* Cloud Infrastructure Security
* Cloud Threat Detection
* Cloud Monitoring
* Identity and Access Management (IAM)
* Cloud Compliance
* Cloud Security Best Practices

---

# ⚙️ 4. Mots-clés DevSecOps

* DevSecOps Engineer
* Secure CI/CD Pipeline
* Security Automation
* Infrastructure as Code Security
* Docker Security
* Kubernetes Security
* Application Security
* Code Security
* SAST / DAST
* Continuous Security

---

# 🔬 5. Mots-clés techniques (très puissants SEO)

* Splunk
* ELK Stack (Elasticsearch, Logstash, Kibana)
* Microsoft Sentinel
* Wireshark
* Sysmon
* Linux Security
* Windows Security Logs
* Network Security
* Firewall Logs
* IDS / IPS

---

# 🚀 6. Mots-clés “portfolio / recrutement”

👉 Très important pour être trouvé par RH

* Cybersecurity Portfolio
* SOC Analyst Portfolio
* Cybersecurity Projects
* Cybersecurity Labs
* Security Use Cases
* Threat Detection Lab
* Cybersecurity Skills
* Entry Level Cybersecurity
* Junior Cybersecurity Analyst

---

# 📈 7. Mots-clés SEO longue traîne (ULTRA PUISSANT)

👉 Ceux-là font la différence 🔥

* Cybersecurity analyst portfolio website
* SOC analyst projects and labs
* How to detect cyber attacks using SIEM
* Cybersecurity incident response examples
* Cloud security best practices for beginners
* DevSecOps security pipeline example
* SIEM log analysis tutorial
* Threat detection use cases

---

# 🧠 STRATÉGIE SEO (très important)

## 📌 Où mettre ces mots-clés :

* Page d’accueil (titre + description)
* Page “About”
* Page “Labs”
* Titres H1 / H2 / H3
* Meta description
* URL des pages

---

# 🏆 EXEMPLE DE TITRE SEO (à utiliser)

👉
**Cybersecurity Analyst Portfolio | SOC, Cloud Security & DevSecOps Projects**

---

# 🏆 EXEMPLE META DESCRIPTION

👉
**Cybersecurity Analyst portfolio with hands-on labs in SOC monitoring, SIEM, Cloud Security and DevSecOps. Available for hiring.**

---
 

Manager DSI (secteur bancaire)

🎯 Mots-clés principau

# 🏦 🔥 1. Mots-clés Manager DSI (secteur bancaire)

## 🎯 Mots-clés principaux

* IT Manager
* IT Director
* Head of IT
* IT Governance
* Information Systems Management
* Digital Transformation
* IT Strategy
* Enterprise IT

---

## 🏦 Spécifique BANQUE (très puissant)

* Banking IT Systems
* Core Banking Systems
* Financial Information Systems
* Banking Cybersecurity
* Risk Management Banking
* IT Compliance Banking
* Data Protection Banking
* Financial Security

---

## ⚖️ Gouvernance & conformité

* IT Governance Framework
* COBIT
* ITIL
* Risk Assessment
* Business Continuity Plan (BCP)
* Disaster Recovery Plan (DRP)
* Regulatory Compliance

---

## 📊 Management & pilotage

* IT Project Management
* Team Leadership IT
* IT Operations Management
* KPI IT Performance
* IT Service Management (ITSM)
* Strategic IT Planning

---

# 🏥 🛡️ 2. Mots-clés RSSI (hôpital / santé)

## 🎯 Mots-clés principaux

* Chief Information Security Officer (CISO)
* Information Security Manager
* Cybersecurity Governance
* Security Risk Management
* Security Policies

---

## 🏥 Spécifique SANTÉ (très important)

* Healthcare Cybersecurity
* Hospital Information Systems (HIS)
* Patient Data Protection
* Medical Data Security
* Health IT Security
* Electronic Health Records (EHR) Security

---

## 🔐 Sécurité & conformité

* ISO 27001
* NIST Cybersecurity Framework
* GDPR Compliance
* Data Privacy
* Access Control
* Identity Management

---

## 🚨 Gestion des incidents

* Incident Response Management
* Security Operations Management
* Cyber Risk Assessment
* Vulnerability Management
* Threat Intelligence

---

# 🚀 🧠 3. Mots-clés hybrides (TRÈS PUISSANTS 🔥)

👉 Ceux-là font le lien entre ton profil actuel et ton évolution :

* Cybersecurity Leadership
* IT Security Strategy
* Enterprise Security Architecture
* Security Governance
* IT Risk Management
* Digital Security Transformation
* Cloud Security Governance