Threat Hunts
When starting with a threat hunt, you’ll fill out a form that includes the summary, which can consist of the hunt hypothesis (why are you conducting this hunt and expect to find?), objectives of the hunt, scope, and any other pertinent details about the hunt. Additionally, you’ll associate any threat groups that this hunt will be looking into. This allows correlations to be made between your threat hunting coverage against your tracked threat groups. Lastly, you’ll select the applicable taskings for the threat hunt, which can either be RFI’s or IR’s. This again can allow correlations to be made for the coverage and hunting activity per IR and RFI.Kanban Board
The Kanban board functions like a normal kanban board and can be used to categorize and plan your threat hunts. There are three sections, Backlog, Doing and Done.Backlog contains hunts that you would like to conduct, but not active at the moment. Doing contains hunts that are currently in progress, which can either be in the phase of Collection, Analysis, and Production.
Collection is the first phase of the threat hunt and consists of collecting data that relates to your threat hunt. Analysis is when you have all your data and are now analyzing it for answering your intelligence questions. Lastly, Production is when you are ready to produce reporting related to the threat hunt, answering the questions in the RFI or IR.
Lastly, Done is for completed threat hunts. You can move the hunt tickets between each category and change the details by clicking on each ticket.