Threat hunting query ideas mapped to MITRE ATT and CK patterns

3499 views

                  index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"

I like threat hunting queries that map to observable attacker behavior rather than vague fear. MITRE ATT&CK gives a useful shared language, but the hunt still needs concrete fields, sources, and hypotheses. The best hunt queries are specific enough to review and improve over time.

Kai Nakamura

More from Kai Nakamura

Threat hunting query ideas mapped to MITRE ATT and CK patterns

0 Comments

More from Kai Nakamura