threat-hunting

threat-hunting

Purpose

This skill enables proactive detection and response to advanced cyber threats in enterprise environments using forensic tools and analytics. It focuses on identifying anomalies, investigating incidents, and mitigating risks through data-driven methods.

When to Use

Use this skill during active threat investigations, such as unusual network traffic, endpoint anomalies, or post-breach analysis. Apply it in blue-team operations like monitoring for indicators of compromise (IOCs), conducting regular hunts in large-scale networks, or integrating with SIEM systems for real-time alerts.

Key Capabilities

• Analyze memory dumps with Volatility to detect malware processes.
• Parse network logs using Zeek for identifying suspicious connections.
• Query Elasticsearch for threat patterns via custom queries.
• Generate timelines from forensic artifacts using tools like Plaso.
• Automate threat correlation with Sigma rules for log analysis.

Usage Patterns

Start by collecting data from endpoints or networks, then apply analytics to identify threats. For example, use a pipeline: ingest logs → run queries → correlate events → respond. Always scope hunts to specific IOCs or time windows. If integrating with automation, wrap commands in scripts that handle input validation and output parsing. For multi-step hunts, chain tools like Zeek for capture and Elasticsearch for indexing.