Tatsuya Hasegawa

Threat hunter and data visualization developer. Holds certifications including CISSP, CISA, GSP, GX-FA, GX-FE, GX-IH, GREM, GCIH, GCFA, GCFE, GNFA, GMOB, GXPN, and GPEN. Board member of the ISACA Nagoya Chapter, committee member of SECCON Open Conference, and contributor to msticpy.

Threat Hunting with better Data Visualization

When conducting threat hunting on event data accumulated in a SIEM, the filtering stage is the most critical. Given limited time and resources, it’s essential to reduce the volume of data that requires human review in order to detect suspicious events or potential threats effectively. Once suspicious events are identified, further deep-dive analysis tends to be less complex and more automatable compared to the initial filtering. During the filtering stage, preprocessing techniques such as rare value extraction and noise reduction are applied, and data is visualized through various charts and graphs to facilitate analysis. Because threat hunting is flexible, there’s often a dilemma: how much should be broadly visualized and how much should be shown in detailed data form? This presentation shares insights—grounded in the speaker’s experience—on the ambiguous boundary of one abstract yet crucial question: “Do you sufficiently understand the data?” Additionally, it includes findings on how much data visualization can be streamlined using generative AI, aiming to support threat hunters in leveraging data visualization as a powerful tool.