Hunt Program Outputs That Build the Program: Garet P.

// introduction

The Hunt Program That Consumes Time and Produces Nothing Durable

Threat hunting is resource-intensive, senior analyst time, tooling access, data processing costs. But most hunt programs have no systematic process for converting hunt activity into program assets. A hunt that finds an adversary produces an incident. A hunt that finds nothing produces a verbal debrief, a closed ticket, and institutional amnesia.

The compounding problem: a program without structured outputs cannot improve. Each hunt starts from approximately the same knowledge base as the last one, because nothing from prior hunts was captured in a reusable form. Hunt outputs are not a reporting requirement, they are the mechanism by which hunting improves detection coverage, reduces telemetry gaps, and builds the institutional knowledge that makes the next hunt faster and more precise.

// framework

The Four Output Types: a Routing Framework

Every completed hunt should produce exactly one of four structured outputs. The output type determines routing, documentation standard, and downstream program impact. A single hunt can produce multiple output types simultaneously.

Adversary finding

Confirmed or suspected malicious activity requiring escalation and response

IR escalation

Detection candidate

Hunt query that produced signal worth converting to a persistent detection rule

Detection engineering

Telemetry gap

Required evidence was absent, incomplete, or not retained for the hunt period

Coverage backlog

Negative finding

Hypothesis refuted with high-confidence telemetry, documented absence of activity

Hunt record library

The accountability principle

The only hunt failure is producing no structured output. That means the hunt consumed analyst time and generated no program value beyond the analyst's personal knowledge. Every hunt that closes without a structured output record has no accountability trail.

// output type 2

Detection Candidates: the Highest Long-Term Value Output

A detection candidate is a hunt query that produced actionable signal, activity that, if observed again, should trigger an alert. It converts one analyst's investigation into a permanent automated capability. Not every hunt query meets the quality threshold:

The signal must be specific enough to have an acceptable false positive rate in production
The technique must not already be covered by an existing production rule
The required telemetry must be reliably available, not dependent on an intermittent log source
The detection logic must be expressible as a rule, not dependent on analyst judgment that cannot be codified

Detection Candidate Record, minimum fields

Candidate ID

DC-2024-047

Source hunt

H-2024-031, APT29 WMIC lateral movement hypothesis

Technique covered

T1047, Windows Management Instrumentation (lateral movement variant)

Hunt query

EventID=1 AND Image="*wmic.exe" AND ParentImage NOT IN (approved_admin_tools) AND CommandLine CONTAINS "process call create"

Signal observed

3 instances in 30-day window across 2 hosts: 1 confirmed benign (helpdesk tool), 2 unexplained pending IR review

Estimated FP rate

Low, helpdesk tool is the only known legitimate source; filterable by ParentImage exclusion

Known bypass

Parent process spoofing, supplement with Sysmon EIDs 19–21 for WMI persistence variant

Required telemetry

Sysmon Event ID 1 with full command line, confirmed available across all endpoint tiers

Assigned to

Detection engineering backlog, owner: [name] - target review: [date]

The known bypass field is non-negotiable. A detection candidate handed to engineering without documenting how it can be evaded produces a rule that gives false confidence. Every candidate should also be validated against the Atomic Red Team test for the covered technique before promotion to production.

// output type 3

Telemetry Gap Findings: a First-Class Output

A gap found during a hunt is a gap that exists right now, for a technique a threat actor in your sector is actively using. It is more operationally urgent than a gap discovered during an annual coverage review. Three gap types, each with different remediation paths:

Missing log source: the event type is simply not collected, requires configuration change or sensor deployment
Truncated or stripped fields: the log source is collected but critical fields are stripped at ingestion, requires pipeline configuration change
Retention window mismatch: collected but retained for 14 days; the hunt requires 90-day visibility, requires a budget conversation

Telemetry Gap Record: minimum fields

Gap ID

TG-2024-019

Source hunt

H-2024-031, WMI persistence hypothesis

Missing telemetry

Sysmon Event IDs 19, 20, 21 (WMI filter/consumer/binding creation)

Gap type

Missing log source, Sysmon config does not include WMI event logging

Techniques undetectable

T1546.003, WMI Event Subscription persistence

Threat relevance

APT29, FIN7, multiple ransomware affiliates use WMI persistence

Remediation

Add WMI event logging to Sysmon config, estimated 15-min config change, moderate volume increase

Priority

High, technique in active use by actors targeting our sector

The threat relevance field converts a gap record from a technical finding into a prioritizable risk item. Naming specific threat actors that use the undetectable technique provides the business case for remediation investment.

// output type 4

Negative Findings and the Absence-of-Evidence Library

Negative findings are the most systematically neglected hunt output, and the one with the highest latent value for incident scoping. A negative finding is not "we found nothing." It is a documented assertion: we searched for a specific technique in specific telemetry across a specific scope for a specific time window and did not observe evidence of it, with a confidence level based on telemetry completeness.

Three confidence levels, applied consistently:

High confidence: telemetry source confirmed complete for the hunt scope and time window. The technique was not observed. This assertion can be cited in IR scoping to bound where activity did not occur.
Medium confidence: telemetry present but with known limitations. The technique was probably not observed but absence cannot be asserted definitively.
Low confidence: telemetry gaps prevent a meaningful search. Record as a telemetry gap (Output Type 3), not a negative finding.

Negative findings accumulated over time become a queryable absence-of-evidence library. When an incident occurs, the IR team can query this library to determine which techniques have been searched for and not found in recent periods, reducing scope and focusing investigation. A growing library of high-confidence negative findings is also a defensible artifact in regulatory investigations and post-incident reviews.

// documentation

The Hunt Record: Making All Four Outputs Durable

Every completed hunt requires a hunt record: the parent document that captures the full analytical context and links to each output generated. It should be readable by an analyst who was not present and must reconstruct what happened.

Hunt Record: minimum fields

Hunt ID

H-2024-031

Hypothesis

IF APT29-consistent tradecraft is present, THEN we expect WMIC spawning cmd.exe/PowerShell on privileged-account endpoints, IN Sysmon Event ID 1, WITHIN all tier-1 endpoints over 30 days

Input source

CTI report, [vendor] APT29 campaign analysis, 2024-10-15

Queries used

[verbatim query text, reproducible without modification]

Data sources checked

Sysmon EID 1 (complete), EID 3 (complete), EID 19–21 (ABSENT, see TG-2024-019)

Result

No adversary activity confirmed. 2 unexplained WMIC instances escalated as detection candidate DC-2024-047. WMI telemetry gap identified as TG-2024-019

Outputs generated

DC-2024-047 (detection candidate) | TG-2024-019 (telemetry gap) | NF-2024-083 (negative finding, medium confidence)

Confidence level

Medium, hypothesis partially testable; WMI persistence vector not covered due to telemetry gap

Follow-on hunts

Re-execute H-2024-031 after TG-2024-019 is remediated

The queries used field must be verbatim and reproducible, not a description, not pseudocode. Another analyst must be able to paste it into the SIEM and reproduce the hunt exactly. The data sources checked field is as important as the result, it defines the evidence boundary of the hunt's conclusions.

// metrics

Program Metrics That Only Become Possible with Structured Outputs

Detection candidates → production

Measures the detection engineering contribution of hunting. The primary metric for justifying hunt program investment to leadership.

Telemetry gaps identified vs. closed

Measures whether coverage is actually improving. A growing gap backlog with no closures signals a resourcing or prioritization failure.

High-confidence negative findings per technique category

Measures the organization's ability to make meaningful absence claims. A mature program can assert what it has actively looked for and not found.

Hunt re-execution rate after gap remediation

Measures whether telemetry gaps are actually being closed and tested. Gap remediation that is never followed by a re-hunt produced no detection value.

Time from hunt finding to production detection

Measures pipeline latency between a hunter finding a technique and the SOC having automated coverage for it.

These metrics require structured output records to compute. They cannot be calculated from hunt tickets or verbal debriefs. The documentation discipline and the measurement capability are the same investment.

// conclusion

A Hunt Program Is Only as Mature as Its Outputs

"A hunt that finds nothing and documents nothing cost forty analyst hours and produced zero institutional value. The documentation is not overhead, it is the product."

The value of a hunt program is not measured by how many hunts ran or whether any found an adversary. It is measured by whether the program is detectably better after six months of hunting than it was before. Detection candidates in production, telemetry gaps closed, a growing absence-of-evidence library, these only exist if outputs are structured and routed.

The closing test: take your last ten hunt records and count how many produced a detection candidate that reached production, how many identified a telemetry gap that was subsequently closed, and how many generated a negative finding with a documented confidence level. If the answer to all three is zero, you have been running hunts. You have not been running a hunt program.

Key references

Sqrrl hunting maturity model (HMM) levels 1–4, structured output documentation is the inflection point between level 2 and level 3; SANS FOR508 hunt documentation standards; Palantir ADS framework for detection candidate handoff.