Active security monitoring of corporate networks is an essential task to ensure the utmost protections are in place.  This entails the following steps: (1) Knowing network in depth (2) examine & inspect key logs (3) evaluate for unusual spikes of activity (4) improve network controls & eliminate any threats discovered

https://isc.sans.edu/forums/diary/Is+Threat+Hunting+the+new+Fad/25746/

That is a tall order, where do we start? There first step is to know the network I’m defending. In order to do this well, it means to have a pretty good knowledge what the network looks like (i.e. network diagrams, traffic flows, client → server relationship, etc) and the type of activity considered normal. Anything deviating from that “normal” need to be investigated. The next step is to collect the logs that will help with the hunt; such as host and network logs to fuse traffic flow in a way that can help identify unusual pattern of activity.

Some of the logs that might be important to collect (not exhaustive) might be: proxy, web & application servers, DNS, host-based, antivirus, EndPoint Detection Response (EDR), firewall, etc. In the end, each organization is unique. Using the Mitre ATT&CK framework can help the hunt by identifying the tactics and techniques that will help capture the most promising logs to detect and identify unusual behavior happening in the network.