Threat Hunting


Hunt for internal sightings of malicious files or connections to malicious domains or IP addresses.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Insider Threat, Advanced Threat Detection, SOC Automation


Command and Control, Malware

Security Impact

Threat hunting can be a repetitive process to either enrich threat data or leverage curated data relavent to the network. By automating this process deeper investigations can be performed by easily automating the threat hunting process.

Alert Volume

Very Low


Stage 5

Data Sources

Anti-Virus or Anti-Malware
Host-based IDS

   How to Implement

The threat hunting playbook uses Splunk as well as EDR tools to hunt for indicators in the environment. Additional actions in the playbook can be used to get additional information about the indicators and further investigate any malicious files discovered.

   How To Respond

This playbook can be used to further investigate any discovered malicious connections or files in the environment. The playbook can also be re-arranged to perform investigative actions first to enrich threat intel data before hunting for it, as well as being used in conjunction with other playbooks.


Threat Hunting Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data