Security & Pentesting
โ
1.2k
SPL
olafhartong/ThreatHunting
1.2k
Stars
178
Forks
23
Issues
SPL
Language
ThreatHunting is a Splunk application that provides structured threat hunting guidance mapped to the MITRE ATT&CK framework. It includes over 130 pre-built reports and multiple dashboards to help security teams identify suspicious activity within their environments. The app leverages Sysmon telemetry data ingested into Splunk, mapping detection queries directly to ATT&CK tactics and techniques. Features include ATT&CK Navigator integration for exportable attack mappings, customizable macros for environment-specific tuning, and whitelist lookup support for organization-specific allowlisting. Designed for blue team analysts and threat hunters who need a systematic approach to hunting adversary behaviors across the full attack lifecycle.
View on GitHub
git clone https://github.com/olafhartong/ThreatHunting.git
Quick Start Example
splunk
# Example Splunk query from ThreatHunting app
# Detect suspicious PowerShell execution (T1059.001)
index=threathunting sourcetype=sysmon
EventCode=1
(Image=*powershell.exe OR Image=*pwsh.exe)
(CommandLine=*-enc* OR CommandLine=*-nop* OR CommandLine=*hidden*)
| stats count by Computer, User, CommandLine
| sort -count