When a new threat actor technique emerges — whether from a research blog, an intelligence feed, or breaking news — every threat hunter instinctively shifts into hypothesis mode. Could this be happening in my environment? Are early signals hiding in the noise?
Take the recent TOLLBOOTH research as an example. The moment Elastic Security Labs published the attack chain, an analyst might begin forming hypotheses based on specific techniques described, such as:
- Have historically frozen or archived IIS server logs shown any anomalies when re-examined with full telemetry?
- Are there signs of credential dumping or privilege escalation attempts on any IIS servers?
This is the essence of hypothesis-driven hunting; start with a developing threat, and rapidly ask targeted questions. It’s one of the most effective ways to get ahead of emerging attacks, but it demands broad visibility and tools that can keep up with your curiosity.
The reality for many SOC teams, however, falls short. They face data silos, limited search capabilities, and the fatigue of manual correlation.
Elastic Security is designed to remove these barriers by enabling hypothesis-driven threat hunting at speed and scale. By unifying security telemetry and enabling analytics across clusters, threat hunters can ask complex questions across all their data, correlate signals, and validate hypotheses quickly without manual data stitching.
This capability is delivered through a set of foundational building blocks that work together:
-
Agentic workflows triage alerts, while a knowledge-grounded AI Assistant generates validated ES|QL queries, drives remediation, and recommends next steps.
-
Elastic Security Labs to bring continuously updated threat research and adversary insights directly into detections and investigations.
-
Detection rules that provide out-of-the-box coverage aligned to real-world attack techniques and hunting scenarios.
-
Entity analytics to correlate users, hosts, and services, assign risk scores, and surface anomalies to enrich every investigation.
-
Machine learning and anomaly detection to surface deviations from normal behavior and expose unknown or emerging threats.
-
ES|QL, visualizations, and cross-cluster search to enable fast, expressive querying, intuitive analysis, and seamless hunting across distributed environments without blind spots.
Together, these building blocks give security teams the speed, scale, and analytical depth needed to move from reactive investigation to confident, proactive threat hunting—testing hypotheses across all of their data within a single, unified Elastic Security platform.
Into the woods: Navigating a real-world LOLBins hunt
This section shows how a threat hunt plays out in practice, moving from an empty search bar to a confirmed and contained threat through a real-world scenario focused on Living Off the Land Binaries (LOLBins).
Build your hypothesis with a RAG-powered AI Assistant
Your investigation can begin even before writing a single query. You can use Elastic’s retrieval-augmented generation (RAG)–powered AI Assistant to pull in trusted knowledge sources, such as Elastic Security Labs research, and build the foundation of your hypothesis. You can add any trusted sources as knowledge to ensure the Assistant reflects the data you rely on.
If you don’t have a specific target yet, you can ask the Assistant,
“Based on current trends, what hypothesis should I start my hunt with today?” The Assistant scans the configured knowledge base, which provides relevant context and directly generates a primary hypothesis along with supporting reasons and evidence. In this scenario, Elastic Security Labs content has been added to the knowledge base to supply the context.
Sit back while AI Assistant creates your tailored threat hunting query
Once you accept the LOLBin hypothesis, the AI Assistant generates a precise ES|QL threat hunting query tailored to your environment. Instead of writing complex syntax from scratch, you receive a targeted search designed to surface the specific suspicious behaviors.
To ensure queries are ready to run, the Elastic AI Assistant uses an agentic workflow to generate bespoke ES|QL queries from human-supplied use cases. It draws on your Elastic cluster data to craft accurate, ready-to-run responses and performs automatic validation before returning the final query. This background validation removes the need for manual troubleshooting, delivering a verified, ready-to-use query that can be pulled directly into your investigation timeline from the AI Assistant.
Alternatively, you can link a GitHub repository of Elastic’s threat hunting queries to the Assistant’s knowledge base to use existing queries as a baseline for your next steps.
Hunt Threats Across Your Entire Environment with ES|QL
If you manage a global environment and need to determine whether this activity is occurring in other clusters, you can expand your hypothesis by asking the AI Assistant to adapt the query for a Cross-Cluster Search (CCS). This enables you to search across multiple clusters in your environment—including frozen and long-term data—without disrupting your investigative workflow.
Seamlessly transition from the AI Assistant to the timeline view and run the query. This targeted search uncovers a critical finding: an instance of rundll32.exe executing on a Windows server with hostname elastic-defend-endpoint under the gbadmin user account*.*
Add context with analytics and visualizations
Finding a hit is only step one; now, you must determine if this is an admin performing maintenance or an actual attack. Validating your ideas requires deep analytics across hosts and users. By drilling down into the affected host, you land in the Entity Details.
Here, you’re not just seeing a hostname. You’re seeing a consolidated view of the host’s risk score, the specific alerts contributing to that score, and the asset’s criticality—all in one place. By bringing together detection signals, behavioral anomalies, and asset importance, Elastic’s entity risk scoring helps analysts quickly understand why an asset is risky, how urgent the threat is, and where to focus first. This unified context reduces investigation time, minimizes guesswork, and enables confident prioritization in high-volume environments.
Confirm the anomaly with machine learning
When you examine the risk score, the supporting evidence is displayed alongside it. You can see the specific alerts contributing to the elevated risk score, including a mix of medium-severity alerts and a Machine Learning (ML) alert such as “Unusual Windows Path Activity”.
Because ML is uniquely suited to detecting subtle deviations that static rules often miss, seeing an ML alert contributing to the risk score helps validate that this activity isn’t just noise—it points to a meaningful behavioral anomaly.
The event details immediately visualize the process lineage, revealing the critical evidence right in the panel. These insights transform your hypothesis from plausible to provable.
Take Action: From Insight to Response
After validating your hypothesis by uncovering suspicious activity, the immediate next step is response. Elastic Security lets responders act directly from their investigations without switching platforms.
Once a compromised host is confirmed, you can take action from the console by isolating the host to prevent lateral movement or terminating the malicious process tree uncovered in your LOLBIN hunt. This seamless transition from investigation to response enables rapid containment using the same tools and context.
Operationalize Queries and Automate Hunting
To automate future hunts and eliminate manual verification of recurring patterns, you can directly import a query into an operational detection rule, or create a rule for specific behaviors, anomalies, or new term values appearing for the first time, and convert it into a fully operational detection rule with a single click.
In enterprise environments, a LOLBin hunt can quickly generate a high volume of alerts. This is where agentic Attack Discovery makes a big difference. Its primary purpose is to help you triage efficiently by automatically correlating signals and highlighting the activity that requires immediate attention.
You can also group and tag hunting-related alerts and run Attack Discovery specifically on those sets to uncover meaningful patterns. This flexibility makes Attack Discovery valuable not only for automated alert triage, but also for advanced, hypothesis-driven threat hunting workflows.
Bonus: Automate with Elastic Agent Builder
Imagine building a LOLBin Hunter custom agent—purpose-built to hunt for LOLBin activity across your security data. Using Elastic Agent Builder, you can create this agent powered by an LLM and equipped with tools such as the ES|QL queries used in your manual workflow.
Once configured, you can interact with your security data using natural language, and the agent will reason through your request, select the most relevant tools, and take action. For example, you could ask: “Show me LOLBin activity that triggered machine learning anomalies and summarize the affected hosts and their risk scores.”
Stay ahead of emerging attacks with Elastic Security
Hypothesis-driven threat hunting is critical for staying ahead of modern attacks, but it can be complex and time-consuming without the right tools. Elastic Security combines AI-assisted investigation, ES|QL search, contextual analytics, machine learning, and integrated response to make every stage simpler and faster.
From the moment a new threat emerges to the point of actionable response, Elastic empowers analysts to uncover hidden signals, validate their hypotheses, and act decisively—turning raw data into intelligence and intelligence into action.
Interested in learning more about Elastic Security? Browse our webinars, events, and more or get started with your free trial today.