| name | threat-hunting |
| description | Use when hunting threats or engineering detections — ATT&CK Detection-Strategies, Sigma + correlation with Detection-as-Code CI, Windows endpoint hunting (Sysmon/ETW/LSASS/LOLBins), network C2 hunting (JA4+, beaconing, DNS tunneling), cloud-identity hunting, Atomic Red Team purple-team validation |
| metadata | {"type":"defensive","phase":"detection","tools":"sigma-cli, pysigma, hayabusa, chainsaw, velociraptor, sysmon, zeek, rita, ja4, atomic-red-team, caldera, splunk, sentinel, defender, kql","mitre":"TA0043"} |
| kill_chain | {"phase":["report"],"step":[8],"attck_tactics":["TA0043","TA0042","TA0011","TA0006","TA0005"],"attck_techniques":["T1059.001","T1003.001","T1562.001","T1562.002","T1218","T1105","T1071","T1071.001","T1071.004","T1571","T1572","T1528","T1550.001","T1078.004","T1098","T1543.003","T1070.001","T1558.003","T1003.006"]} |
| depends_on | ["red-team-ops","incident-response"] |
| feeds_into | [] |
| inputs | ["finding_records","log_data","ioc_list","evtx","zeek_logs","cloudtrail","sigin_logs"] |
| outputs | ["sigma_rules","correlation_rules","attck_navigator_export","coverage_matrix","detection_report","hunt_findings"] |
| references | ["references/methodology-hunt-loop.md","references/windows-endpoint-hunting.md","references/sigma-rule-engineering.md","references/network-c2-hunting.md","references/cloud-identity-hunting.md","references/purple-team-validation.md"] |
| scripts | ["scripts/dac_validate.py","scripts/evtx_hunt.py","scripts/beacon_hunter.py","scripts/cloudtrail_hunt.py","scripts/coverage_matrix.py","scripts/entra_hunt.kql","scripts/sigma_pipeline.sh","scripts/sysmon_config_2025.xml"] |