Threat Hunt (TH) Program Part 8 - Threat Hunt Mission Reporting

Threat Hunt Mission Reporting SOP

1. Purpose

This Standard Operating Procedure (SOP) defines the requirements, structure, and standards for producing Threat Hunt Mission Reports. A Threat Hunt Mission Report is the formal deliverable published upon the completion of every Threat Hunt mission. It provides stakeholders with a comprehensive record of the hunt objectives, methodology, findings, indicators of compromise, detection outputs, and recommendations for improving the organization's security posture.

This SOP governs report content, section requirements, and the responsibilities of Threat Hunters and Threat Hunt Reviewers in producing and approving reports.

2. Scope

This SOP applies to all Threat Hunt missions executed by the SOC Threat Hunt team. A report is required for every completed mission, regardless of whether a threat was identified. Negative results are a valid and important mission outcome and must be documented in accordance with this SOP.

3. Roles and Responsibilities

3.1 Threat Hunter

• Responsible for authoring all sections of the Threat Hunt Mission Report.

• Must complete and submit the report within the timeframe specified by the Threat Hunt Lead upon mission closure.

• Ensures all queries, IOCs, findings, and recommendations are accurately documented.

3.2 Threat Hunt Reviewer

• Reviews the completed report for accuracy, completeness, and analytical soundness.

• Approves the report prior to publication and distribution to stakeholders.

• May return the report to the author for revision with documented comments.

NOTE: Threat Hunt Mission Reports are published only after formal Reviewer approval.

4. Report Structure and Section Requirements

Every Threat Hunt Mission Report must include all sections defined in this SOP. Sections that do not apply to a given mission must be retained and populated with 'N/A' along with a brief explanatory note. The required report structure is as follows:

5. Section-by-Section Guidance and Requirements

5.1 Section 1 — Executive Summary

The Executive Summary provides a concise overview of the mission for leadership and non-technical stakeholders. It must be written in plain language and must not assume technical expertise. The Executive Summary consists of three required subsections:

5.1.1 Incident

If the Threat Hunt mission arose directly from a security incident or was tasked as part of an incident response, this subsection must document the relevant incident details, including the incident reference number, date, and a brief description of the triggering event. If the hunt was proactive and not incident-driven, enter: 'This Threat Hunt mission was proactively tasked and was not initiated in response to a specific security incident.'

5.1.2 Action

Summarize the actions taken during the mission. This should be a brief narrative, typically two to four sentences, describing the type of analysis performed.

NOTE: Example: 'Research was conducted into threat actor indicators of compromise (IOCs), binary abuse, and tactics, techniques, and procedures (TTPs) to develop and execute targeted Threat Hunt queries across the environment.'

5.1.3 Conclusion

Summarize the overall outcome of the mission in two to five sentences. State clearly whether malicious activity, suspicious behavior, or security control gaps were identified. Reference key findings where relevant. If no threat activity was identified, state this explicitly.

5.2  Section 2 — Stakeholder Requirements

This section documents the formal requirements and analytical objectives that were established for the mission. It must include the following three components:

• Threat Hunting Actions and Expanded Timeline Analysis: Describe the specific hunting actions undertaken and the time range over which the hunt was conducted. Include the scope of data sources, log types, and systems analyzed.

• Threat Actor Profile: If the mission was focused on a specific threat actor or actor group, summarize the relevant threat actor profile, including known TTPs, tooling, and targeting behavior relevant to this mission.

• Summary Analysis: Provide a high-level summary of the analytical approach used during the mission, including any pivoting performed based on initial findings.

5.3  Section 3 — Key Findings

The Key Findings section is the analytical core of the report. It is organized into the following structured subsections:

5.3.1  Customer Profile

Document relevant details about the customer environment as they pertain to the hunt. If no customer-specific profile information was identified or is relevant, enter 'None found in the environment.'

5.3.2  Threat Actor Profile Attribution

If attribution to a specific threat actor or group was determined or assessed, document the attribution rationale here, including supporting evidence such as overlapping TTPs, infrastructure, or tooling. If attribution could not be established, state this explicitly.

5.3.3  Targeting Assessment

Complete the following targeting assessment for the environment. For each criterion, select Yes or No and provide brief supporting commentary:

5.3.4  Threat Modeling

Document the threat modeling artifacts used and developed during the mission, organized by category:

• IOC: List indicators of compromise used to scope the hunt, including hashes, IPs, domains, and URLs.

• Binary: Document any malicious or suspicious binaries analyzed, including file names, hashes, and behavioral characteristics.

• TTP: List the MITRE ATT&CK techniques and sub-techniques that formed the basis of the hunt hypothesis.

• Hypothesis: State the threat hypothesis that the hunt was designed to test.

• Anomaly-Based and Allowlisting: Document any anomaly-based detection approaches used, and note any allowlisting or baselining performed to reduce false positive volume.

5.3.5  Threat Categories Identified

For each of the following threat categories, document what was identified during the mission. If nothing was found in a category, enter 'None identified.'

• IOC: Indicators identified during hunt execution.

• Binary: Malicious or suspicious binaries identified.

• TTP: Adversary techniques or sub-techniques observed in the environment.

• Hypothesis: Whether the hunt hypothesis was confirmed, partially confirmed, or not confirmed, with supporting rationale.

• Anomaly-Based / Allowlisting: Anomalous behaviors identified, and any allowlist entries created or recommended.

5.4 Section 4 — Detection Methods

Document the detection methods employed during the mission. Detection methods must be referenced using the current MITRE ATT&CK v18 Detection Strategies framework, which replaces the legacy Data Sources model. MITRE ATT&CK v18 introduced a Detection Overhaul, the new Detection Strategies object defines how a technique can be detected and mirrors real-world adversary behavior.

NOTE: Legacy MITRE ATT&CK data source references (e.g., DS0015 Application Log Content Inspection, DS0029 Network Traffic Content Inspection) may be included for backward compatibility with existing tooling documentation, but all new detections must reference the ATT&CK v18 Detection Strategies format.

For each technique analyzed, document the applicable detection strategy, the data source leveraged, and whether the detection was executed via query, alert rule, or manual analysis.

5.5 Section 5 — KQL Queries

List all KQL queries executed during the Threat Hunt mission. Each query entry must include the query name or description, the associated ATT&CK technique, the SIEM workspace or table targeted, and the query logic itself. Queries should be formatted in a code block for readability.

NOTE: All queries documented in this section must also be uploaded to the central Threat Hunt tracker as required by the Threat Hunt Mission Execution SOP.

5.6  Section 6 — Indicators of Compromise (IOCs)

List all indicators of compromise identified during or used to scope the Threat Hunt mission. For large IOC sets (more than 20 entries), summarize the IOC categories here and reference Appendix A for the complete listing.

5.6.1  Profile Collections Found

Document any credential or profile collections identified during the mission, including account names, credential hashes, or profile data found in unexpected locations. If none were identified, enter 'None identified.'

5.6.2  MITRE ATT&CK Matrix Mapping

Provide a mapping of all identified findings to the MITRE ATT&CK Enterprise Matrix. Where possible, include a visual matrix excerpt or a tabular listing of all techniques and sub-techniques observed or tested during the mission, organized by Tactic.

5.7  Section 7 — Chronology of Events

If a threat foothold or intrusion was identified during the mission, document a chronological timeline of events here, including the first observed indicator, subsequent activity, and any lateral movement or escalation identified.

NOTE: If no foothold was identified during the mission, enter: 'N/A — No threat foothold was identified during this mission.'

5.8  Section 8 — Analysis Summary

Provide a narrative summary of the analytical work performed during the mission. This section must include:

• The full time range covered by the Threat Hunt analysis (start date/time and end date/time, in UTC).

• A complete list of log sources, tables, and data connectors searched during the mission.

• A summary of the volume of data analyzed and any significant data quality or visibility issues encountered.

• A narrative assessment of whether the environment was sufficiently visible to draw confident conclusions, or whether data gaps limited the hunt.

5.9  Section 9 — Threat Hunt Mission Completion Products

Document all products and deliverables produced as a result of this Threat Hunt mission. Each item must be listed with its status and a brief description. Include all of the following categories, marking any that are not applicable: 

NOTE: SOC Escalations should reference the corresponding SOC incident or ticket number and include a brief description of what was escalated and the outcome, if known at time of report publication.

5.10  Section 10 — Recommendations

This section documents recommended actions to remediate identified gaps, strengthen detection coverage, and reduce risk. Recommendations are organized into two subsections: MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND security controls.

5.10.1  Mitigations (MITRE ATT&CK Enterprise)

List all applicable MITRE ATT&CK Enterprise mitigations relevant to the findings of this mission. Reference the MITRE ATT&CK Enterprise Mitigations catalog (https://attack.mitre.org/mitigations/enterprise/). For each mitigation, complete the four-column table below. A memo row follows each mitigation entry for additional analyst commentary.

NOTE: Status definitions — Covered: The mitigation is implemented and verified. Verify: Implementation is expected but confirmation is needed. Uncovered: The mitigation is not in place. N/A: The mitigation is not applicable to this environment.

5.10.2  Security Controls (MITRE D3FEND)

List applicable defensive security controls from the MITRE D3FEND matrix (https://d3fend.mitre.org/) that are relevant to the mission findings. For each control, document implementation status and the tooling providing coverage, using the same table format as above.

5.11  Section 11 — References

List all references cited or consulted during the mission and in the preparation of this report. References must include the source name and URL or document identifier where applicable.

 Report Sign-Off

SOP References

ATT&CK v18: The Detection Overhaul You’ve Been Waiting For | by Amy L. Robertson | MITRE ATT&CK® | Medium 

MITRE details ATT&CK v18 Detection overhaul to mirror real-world adversary behaviour, launching this October - Industrial Cyber

https://attack.mitre.org/mitigations/enterprise/

https://d3fend.mitre.org/