Threat Hunting
Threat hunting is the proactive search for threats that have evaded automated detection. The One Security provides a structured hunt workflow tied to MITRE ATT&CK techniques and your available data sources.
Threat Hunt Lifecycle
Draft → In Progress → Completed / Cancelled
| Status | Description |
|---|---|
| Draft | Hunt created but not yet started |
| In Progress | Actively being investigated |
| Completed | Hunt concluded; findings documented |
| Cancelled | Hunt abandoned |
Creating a Threat Hunt
Navigate to SecOps → Threat Hunting and click New Hunt.
| Field | Required | Description |
|---|---|---|
| Title | Yes | Short descriptive name (e.g., "Lateral Movement via SMB — Acme Corp") |
| Hypothesis | Yes | If-then hypothesis: "If an attacker used T1021.002, we would see unusual SMB traffic from workstations to servers" |
| MITRE Techniques | No | Comma-separated technique IDs (e.g., T1059, T1078, T1566) |
| Data Sources | No | Comma-separated sources to search (e.g., EDR logs, DNS, firewall) |
Hunt Metrics
Each hunt tracks:
| Metric | Description |
|---|---|
| Findings | Number of suspicious items discovered during the hunt |
| IOCs Discovered | Indicators of compromise identified (IPs, hashes, domains) |
Hunt Detail View
Click any hunt to open the detail view, which shows the full hypothesis, linked MITRE techniques, data sources queried, timeline of the investigation, and all findings. From the detail view, findings can be escalated to incidents.
Threat Intelligence
Navigate to SecOps → Threat Intelligence to view the threat intel feed. The threat intel module aggregates IOCs and feeds them into the hunt workflow, allowing analysts to search for known malicious indicators across collected telemetry.
MITRE ATT&CK Integration
Threat hunts reference MITRE ATT&CK technique IDs to provide structured context. When technique IDs are attached to a hunt, findings can be mapped back to the attack chain — useful for building executive reports and improving detection rule coverage.