A comprehensive curated list of keywords and artifacts designed to enhance threat hunting sessions across various environments.
Awesome list of keywords and artifacts for Threat Hunting sessions
This tool serves as a reference for security analysts and threat hunters to proactively search for indicators of compromise, tactics, techniques, and procedures (TTPs) within raw logs, SIEM platforms, and file systems. It is particularly useful for blue teams and red teams aiming to improve detection capabilities, reduce false positives, and optimize threat hunting workflows.
This repository is a documentation resource rather than an executable tool; users should integrate the keywords and methodologies into their existing threat hunting platforms and workflows. It is recommended to tailor the keyword lists to the organization's environment to reduce false positives and enhance detection efficacy.
Hunt all the keywords in raw logs
Use the provided keyword list to scan raw logs for potential indicators of compromise.
Hunt the keywords in specific fields (e.g., url, process, commandline, query)
Focus keyword searches on targeted log fields to improve detection precision.
Use the list to build dashboards in Splunk
Leverage the keywords to create visualizations and alerts within Splunk for proactive threat detection.
Apply YARA rules from the repository
Use YARA rules included in the repo for file-based threat hunting without a SIEM.