Documenting your threat hunt findings and discoveries
Backlog
contains hunts that you would like to conduct, but not active at the moment. Doing
contains hunts that are currently in progress, which can either be in the phase of Collection
, Analysis
, and Production
.
Collection
is the first phase of the threat hunt and consists of collecting data that relates to your threat hunt. Analysis
is when you have all your data and are now analyzing it for answering your intelligence questions. Lastly, Production
is when you are ready to produce reporting related to the threat hunt, answering the questions in the RFI or IR.
Lastly, Done
is for completed threat hunts. You can move the hunt tickets between each category and change the details by clicking on each ticket.