Threat hunting tools
Every infrastructure has its own threats that may result in a security breach. Threat hunting helps with the proactive approach of discovering such possible threats. This way your organization can eliminate them early. Threat hunting is a specialized area and requires specific tools to scan every corner of the network.
Threat hunting tools are typically used for threat discovery and threat hunting.
Users for these tools include forensic specialists, pentesters, security professionals.
HELK (threat hunting with the ELK stack)
system monitoring, threat discovery, threat hunting
The main purpose to use HELK is to do analytic research on data, which are typically the events coming from your systems. Suspicious events could be discovered by doing so-called threat hunting. It may give additional insights about the existing infrastructure and required security defenses.
MISP (Malware Information Sharing Platform)
fraud detection, information gathering, threat hunting
MISP collects, stores, and distributes security indicators and discovered threats. This makes the platform useful for those involved with security incidents and malware research. Users benefit from having a well-tested platform to structure the vast number of data points available when it comes to security threats. The tooling allows interaction with other tools, like security incident and event management (SIEM) and intrusion detection systems (IDS).
rastrea2r (threat hunting for IOCs)
digital forensics, malware detection, threat discovery, threat hunting
Rastrea2r is a threat hunting utility for indicators of compromise (IOC). It is named after the Spanish word rastreador, which means hunter. This multi-platform open source tool helps incident responders and SOC analysts to triage suspected systems. The hunt for IOCs can be achieved in just a matter of a few minutes.
sqhunter (threat hunting)
security monitoring, threat discovery, threat hunting
Sqhunter is a security tool to find known and unknown threats within your network. The goal is to find possible adversaries within your network by doing specific queries. The tool uses data from osquery, Salt Open, and the Cymon API.
Missing a favorite tool in this list? Share a tool suggestion and we will review it.