๐ŸŽฃ

Threat Hunter's Cookbook

Enter your server token to connect

Invalid token. Please check and try again.

Stored in session only ยท Never sent externally

๐ŸŽฃ
Threat Hunter's
Cookbook
Built on PEAK Framework
Threat Analyzer
Enter a CVE, malware name, threat actor, or paste threat intel to generate Splunk hunting queries
THC::ANALYZE public intel โ†’ hunt pack โ†’ analyst reviewprofile: default generic SPL
Try:
๐Ÿ”’ Only public threat intelligence is used. No internal data is ever sent to AI. All SPL are templates requiring analyst review.
๐ŸŽฏ
Ready to Hunt
Enter a threat above to generate hunting queries, threat intelligence, and technical analysis
Analysing threat intelligence...
Generating SPL queries and threat summary

Type
First Seen
Threat Actors
Affected Systems
Overview

MITRE ATT&CK Coverage
Tactics
Techniques
โš ๏ธ Template queries only. Adapt index names, sourcetypes, and field names to your Splunk environment before running.
๐Ÿงญ Technical Analysis explains the attacker behaviour behind the hunt pack. Use it to understand attack stages, choose pivots, and decide which telemetry matters before running SPL.
How It Works

Attack Chain
Key Observable Behaviours
โš ๏ธ IOCs are public indicators only. Use them for quick sweeps, but prioritise behavioural hunts because hashes, domains, and IPs age quickly.
How to use IOCs

Use IOCs to scope immediate exposure, then pivot into behaviour: process execution, authentication, DNS/proxy, file creation, persistence, and lateral movement. Empty IOCs usually means there are no reliable public indicators for this threat or the threat is better hunted by behaviour.

SPL Builder
Build Splunk hunting queries using Threat Hunter's Cookbook methods
THC::SPL_BUILDER profile-aware template generationno internal data required
Optional: add specific field=value conditions
Imported Hunt Pack SPL
Review the template below, then tune the builder fields or generate a refined version.
Imported SPLโš ๏ธ Template Only
โš—๏ธ
SPL Builder
Fill in the form and click Generate to build a Splunk hunting query
Building SPL query...
Generated SPL
โš ๏ธ Template Only
Method Rationale

Query Breakdown
โœ… True Positive Indicators
    โš ๏ธ False Positive Considerations
      ๐Ÿ”ง Tuning Tips
        ๐Ÿ”— Related Hunts
          Threat Feed
          Public threat feed candidates you can filter, save, ignore, or send into the Threat Analyzer
          Loading public threat feed candidates...
          Feed Preferences
          Leave all unchecked to show all technologies.
          Saved / Hidden
          ๐Ÿ”’ Feed items use public sources only. Selecting Analyze sends only the threat name/CVE to the AI endpoint.
          Explain SPL
          Paste an existing Splunk query to understand what it does, what telemetry it needs, and how to tune it safely
          THC::EXPLAIN_SPL inherited query โ†’ analyst understanding โ†’ tuning guidanceprofile-aware review
          Use this for existing hunts, inherited correlation searches, generated SPL, or queries copied from tickets.
          This explains and reviews SPL. It does not run searches or access Splunk.
          How to use this page

          Use Explain SPL when you inherit a search, want to validate AI-generated SPL, or need to teach a junior analyst what a query is doing. The output highlights required data, likely blind spots, false positives, tuning ideas, and detection-engineering next steps.

          ๐Ÿง 
          Ready to explain SPL
          Paste a query to get line-by-line explanation, required telemetry, suspicious result guidance, and tuning advice.
          Reviewing SPL...
          Plain-English Summary

          How to work with this template
          1. Confirm fields
          Use fieldsummary or a small table search to check whether the referenced fields exist in your sourcetype.
          2. Simplify mappings
          Replace coalesce() alternatives with the exact fields that work in your Splunk environment.
          3. Validate logic
          Check that fields belong to the selected EventCode/sourcetype before trusting the result.
          4. Tune safely
          Adjust thresholds and add exclusions only after reviewing normal admin activity.
          Line-by-Line Breakdown

          Each SPL line is shown as a full-width block first, followed by the explanation underneath. Long SPL lines wrap instead of squeezing the explanation into a narrow column.

          Required Telemetry and Fields
          What Suspicious Results May Look Like
            False Positives
              Tuning Suggestions
                Detection Engineering Notes

                Saved Hunts
                Your local hunt workspace: review, tune, document, export, and operationalise generated SPL templates
                SOC Workflow

                Use this workspace to move from generated templates into reviewed hunts. Save only useful hunts, check data coverage, document outcomes, then export for tickets, Obsidian, GitHub, or detection engineering review.

                Status Guide
                DraftTestedTunedOperationalisedRetired
                Markdown Export
                Environment Profile
                Define safe, generic SOC context so Analyzer and SPL Builder produce more realistic Splunk templates
                THC::PROFILE generic telemetry map onlyavoid hostnames, usernames, internal IPs, domains, secrets
                Privacy guardrail: Store only generic data source names, index aliases, sourcetypes, platforms, and preferred field names. Do not add real users, hostnames, private IPs, customer names, internal domains, API keys, or case details.
                Paste Full Environment Profile
                Use this for long markdown notes or Splunk discovery output. The importer keeps the full text as analyst guidance and tries to extract index/sourcetype mappings automatically.
                Core SOC Context
                Available Data Sources
                Index / Sourcetype Map
                Examples: Windows Endpoints โ†’ index=windows, sourcetype=WinEventLog:Security / Sysmon; DNS โ†’ index=dns, sourcetype=stream:dns.
                Preferred Field Names
                Profile Preview Sent to AI
                How this improves SPL

                Analyzer and Builder requests now include this sanitized profile. The model can prefer your generic indexes, sourcetypes, field aliases, and telemetry coverage while still avoiding sensitive internal data.

                The Cookbook
                Quick reference for all seven Threat Hunter's Cookbook methods