Appendix D – Threat Hunting Use Cases

Use Case 1

Under Menu > Predefined Queries  > Suspicious Scripts > Script process executions:

Use Case 2

Use PROCESS record type > Process Name  > Is > cmd.exe

Use Case 3

1. Click and go to MITRE ATT&CK > SHOW MITRE ATTACK.

   

2. Go to Persistance > Logon Scripts.