How do you actually threat hunt?

This page summarizes the projects mentioned and recommended in the original post on /r/cybersecurity
Sysmon Monitoring Logging Security Attack

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • sysmon-config

    Sysmon configuration file template with default high-quality event tracing

    • If you don't catch it what changes can you do to your logging to enable it? Can you push it out to the environment? While sysmon is awesome, you can do your hunts with built in logging most of the time... Just might not have all the data around it you want to have. I would throw sysmon on a test box (make sure you have a config file that filters out the noise: https://github.com/SwiftOnSecurity/sysmon-config)

  • attack-stix-data

    STIX data representing MITRE ATT&CK

    • If you have not yet looked at it, check out mitre att&ck https://attack.mitre.org/

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • sigma

    Main Sigma Rule Repository

    • Agreed in general. But with stuff like SIGMA, I'd lean towards stuff should going into git. Better version control, your docs can be markdown and live right next to your threat library, you can strap on CI/CD (so you can deploy/run stuff as part of a pipeline). Confluence is a great start, but it doesn't scale well.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts