An Integrated Cyber Threat Hunting Program Applying Machine Learning for Enhanced Intelligence Capabilities

  • Joshua Richards

Student thesis: Master's Thesis


This project entails the creation of a simplified event log filterer that can be used by new threat hunters to the field of threat intelligence. The event log filterer employs three filtering options that allow the threat hunter to analyse application, system, security and Sysmon logs, which are the most common logs used for hunting for threats. This tool was created to allow new users to get to grips with threat hunting without the need go through the hundreds of unnecessary logs that Windows Event Viewer collects and displays and the array of options that may seem overwhelming to those starting out in this field. The tool also analyses Sysmon logs using anomaly spike detection machine learning to highlight any logs that may be anomalous and should be investigated further. The idea of this is to allow the new threat hunter to pinpoint which Sysmon logs require attention, whereas the conventional Windows Event Viewer approach does not afford this anomaly detection and is a laborious task to sift through all the logs looking for anomalies, which is difficult for experienced hunters, let alone novices.
Date of AwardSep 2021
Original languageEnglish
Awarding Institution
  • University of South Wales
SupervisorRichard Ward (Supervisor)


  • Anomaly
  • Events
  • Detection
  • Logs
  • Machine Learning
  • Threat Hunting

Cite this