plaintext
3 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"
1 file · plaintext
Explain with highlit
I like threat hunting queries that map to observable attacker behavior rather than vague fear. MITRE ATT&CK gives a useful shared language, but the hunt still needs concrete fields, sources, and hypotheses. The best hunt queries are specific enough to review and improve over time.
Share this code
Here's the card — post it anywhere.