-
Notifications
You must be signed in to change notification settings - Fork 0
Usage
Welcome to the Hunt-AI Usage Guide! Now that you have Hunt-AI up and running, this guide will walk you through how to effectively use the platform for your threat-hunting tasks.
Once Hunt-AI is up and running, you can access the web interface by visiting:
http://localhost:31337/
This will bring up the Hunt-AI dashboard where you can interact with various threat-hunting tools.
The MITRE ATT&CK framework is central to the Hunt-AI system. You can browse Tactics and their corresponding Techniques to start your investigations.
- On the home page, you'll find the MITRE ATT&CK framework with clickable tactics.
- Select a Tactic to view all techniques related to that tactic.
- Click on a Technique to see detailed information and associated queries for detecting that specific technique.
Each technique will provide:
- Description of the technique.
- Data sources and log queries that can be used to detect the technique.
- Detection methods and SPL queries.
- Hunt steps that guide you through the process of tracking down threats.
For each technique, Hunt-AI provides pre-configured detection queries that you can run directly in your SIEM (e.g., Splunk, Elasticsearch) to detect suspicious activity. You can quickly copy these queries and paste them into your system.
- Queries are presented as SPL (Search Processing Language) queries.
- Use these queries to detect activity associated with specific T-codes.
To ensure a streamlined process, Hunt-AI includes an investigation tracking feature. Here’s how you can use it:
- Track your investigations using the integrated analyst notebook.
- Log findings for each technique and tactic.
- Add notes, observations, and context to your hunts to provide more comprehensive data.
- You can create a custom summary of your investigations to keep all relevant information in one place.
If you want to run your own queries or expand beyond the pre-configured ones, you can use the custom queries section to write and execute specific queries relevant to your hunt.
- This allows you to adapt and refine your investigation based on emerging threats or unique data sources.
Hunt-AI will eventually support collaboration features. You will be able to:
- Share investigations with your team.
- Sync your findings across different analysts.
- Coordinate responses to incidents in real-time.
Here are some common threat-hunting tasks and how Hunt-AI can help you with them:
- Navigate to the MITRE ATT&CK framework and select the Command and Control tactic.
- Find Technique T1071 (Application Layer Protocol), which deals with the abuse of application layer protocols like DNS.
- Use the pre-configured query for Detecting Suspicious DNS Traffic to check for abnormal DNS queries that could indicate DNS tunneling.
- Run the SPL query in your SIEM to check for any anomalies.
- Use the Hunt Steps to investigate if malicious DNS requests are originating from any specific machines or external locations.
- Navigate to the Credential Access tactic in the MITRE ATT&CK framework.
- Look for T1555 (Credential Dumping via Phishing).
- Use the query for suspicious email attachments to detect potential spear-phishing attacks.
- Correlate the results with your endpoint detection data and analyze user behavior.
To run Hunt-AI's queries in your SIEM:
- Copy the SPL query provided for each technique.
- Paste it into your SIEM query interface (e.g., Splunk's search bar).
- Run the query to detect relevant activity based on that specific technique.
- Review the results and proceed with the investigation steps as suggested by Hunt-AI.
For each technique, Hunt-AI provides a step-by-step guide to execute your hunt:
- Run Queries: This is your first step to gathering relevant data.
- Investigate: Examine the results and look for potential indicators of compromise (IOCs).
- Correlate: Correlate the data with other sources like threat intelligence feeds, user behavior analytics, or endpoint data.
- Escalate: If malicious activity is detected, escalate it to the appropriate response team.
The Analyst Notebook within Hunt-AI helps you document each of your investigations in a structured way:
- Create an entry for each investigation.
- Document findings using a series of structured fields (e.g., hypothesis, detection methods, expected outcomes).
- Summarize the investigation once completed.
- Use this as a reference for future investigations or for compiling a report.
In the near future, Hunt-AI will include enhanced collaboration features such as:
- Team investigation syncing.
- Real-time updates on hunt progress.
- Ability to share investigation results within your organization.
For further assistance with Hunt-AI, refer to these resources:
- Hunt-AI Documentation: Full documentation on setup, usage, and advanced configuration.
- MITRE ATT&CK Framework: Explore techniques, tactics, and procedures (TTPs) for in-depth understanding.
- Hunt-AI GitHub: Access the source code, contribute to the project, and view latest updates.
Happy hunting! Stay safe and efficient in your threat investigations with Hunt-AI.
---
### Key Sections in the Usage Guide:
1. **Navigating the Interface** – A basic introduction to using the web interface.
2. **Key Features** – Describes core features like MITRE ATT&CK integration, pre-configured queries, tracking investigations, and collaboration.
3. **Common Use Cases** – Walkthroughs of common scenarios you might encounter during threat hunting.
4. **Running Queries in SIEM** – Step-by-step instructions for executing **Hunt-AI** queries in your SIEM.
5. **Hunt Execution Steps** – Breakdown of the steps to execute hunts based on each technique.
6. **Analyst Notebook** – Explains how to document and track investigations.
7. **Collaboration Features (Coming Soon)** – Brief overview of upcoming collaboration tools.