A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
Alternatives To Threathunting
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
an hour ago85agpl-3.0Python
Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
2 months ago28
APTnotes data
a month ago136apache-2.0Python
Your Everyday Threat Intelligence
8 hours ago33gpl-3.0Rust
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
2 months ago20mit
A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
8 days agogpl-3.0Python
A collection of resources for Threat Hunters - Sponsored by Falcon Guard
12 days ago10August 18, 202014gpl-2.0Python
Extract and aggregate threat intelligence.
4 months ago10gpl-3.0PowerShell
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
2 years ago109agpl-3.0
Documentation of TheHive
4 years ago1bsd-3-clausePython
Oriana is a threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics. The results are presented in a Web layer to help defenders identify outliers and suspicious behavior on corporate environments.
Alternatives To Threathunting
Select To Compare

Alternative Project Comparisons


ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

license Maintenance GitHub last commit Arsenal Arsenal Twitter

This is a Splunk application containing several dashboards and over 130 reports that will facilitate initial hunting indicators to investigate.

You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found here

Note: This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment. Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.

Big credit goes out to MITRE for creating the ATT&CK framework!

Pull requests / issue tickets and new additions will be greatly appreciated!

Mitre ATT&CK

I strive to map all searches to the ATT&CK framework. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here Mapping

Required actions after deployment

  • Follow all the steps on the About page in the app, make sure all requirements are met.
  • Make sure the threathunting index is present on your indexers
  • Edit the macro's to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros (make sure the sourcetype is correct)
  • The app is shipped without whitelist lookup files, you'll need to create them yourself. This is so you won't accidentally overwrite them on an upgrade of the app.
  • Install the lookup csv's or create them yourself, empty csv's are here

A step by step guide kindly written by Kirtar Oza can be found here


A more detailed explanation of all functions can be found here or in this blog post

Popular Threat Projects
Popular Dfir Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Threat Hunting
Mitre Attack