plaintext 3 lines · 1 tab

Threat hunting query ideas mapped to MITRE ATT and CK patterns

Kai Nakamura Apr 2026
1 tab
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"
1 file · plaintext Explain with highlit

I like threat hunting queries that map to observable attacker behavior rather than vague fear. MITRE ATT&CK gives a useful shared language, but the hunt still needs concrete fields, sources, and hypotheses. The best hunt queries are specific enough to review and improve over time.

Share this code

Here's the card — post it anywhere.

Threat hunting query ideas mapped to MITRE ATT and CK patterns — share card
Link copied