The next stage in the threat hunt cycle is applying forensic techniques to test the hypothesis. The bulk of this book has been devoted to using forensic techniques to find indicators in a variety of locations. In threat hunting, the hunt team will apply those same techniques to various evidence sources to determine if any indicators are present.
For example, in the previous section, five URLs were identified as indicators associated with the malware Emotet. Threat hunters could leverage several sources of evidence, to determine if those indicators were present. For example, an examination of proxy logs would reveal if any internal systems connected to any of those URLs. DNS logs would also be useful, as they would indicate if any system on the internal network attempted to resolve one or more of the URLs to establish connections. Finally, firewall logs may be useful in determining if any connections were made to those URLs or associated IP addresses.