Skip to content

st-mn/autohunt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
config
config
 
 
hunts
hunts
 
 
scheduler
scheduler
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
threat_hunter.py
threat_hunter.py
 
 

Repository files navigation

AutoHunt - ML Threat Hunting Automation based on Behavioral Detection

Automated threat hunting repository that monitors various threat intelligence sources and extracts indicators of compromise (IOCs).

Features

  • 🔍 Multi-Source Threat Intelligence eg:

    • MISP Open Source Threat Intelligence and Sharing Platform
    • Twitter/X hashtag monitoring (#opendir, #malware, #phishing, etc.)
    • RSS/Atom feeds (CISA, SANS ISC, security blogs)
    • URLhaus malicious URL feed
    • Malware Bazaar sample feed

  • ⚙️ Machine Learning Analysis

    • Isolation Forest algorithm for unsupervised anomaly detection.
    • Identify threats that deviate from normal baseline behavior without requiring pre-labeled datasets.
    • Each finding is assigned an Anomaly Score (0-100%), where higher scores indicate a higher probability of malicious activity.

  • 🎯 IOC Extraction

    • Automatic IOC extraction (IPs, domains, URLs, hashes, emails, CVEs)
    • Defanging support (hxxp://, [.]domain[.]com)
    • Benign indicator filtering

  • ⚙️ Automation

    • Deduplication to avoid reprocessing
    • State persistence between runs
    • Configurable via JSON

  • 📢 Notifications

    • Webex Teams integration
    • Slack webhook support
    • Priority alerts for threats

Automated DFIR & Threat Hunting Workflow

This workflow represents the integration of automated telemetry, proactive hunting, and robotic incident response (SOAR) to minimize "Mean Time to Respond" (MTTR) while maintaining high technical quality.

Key Performance Indicators (KPIs)

Metric Goal Rationale
MTTA (Acknowledge) < 2 Minutes Automated triage ensures the incident is "acknowledged" and enriched instantly.
Automation Ratio > 60% Percentage of alerts that are auto-closed or auto-remediated without manual intervention.
FP Rate (False Positive) < 5% High signal-to-noise ratio is critical to prevent analyst burnout.
Conversion Rate > 50% Percentage of manual threat hunts that result in a new, automated Sigma/YARA rule.

Installation

# Clone the repository
git clone https://github.com/st-mn/autohunt.git
cd autohunt

# Install dependencies
pip install -r requirements.txt

Usage

Automated threat hunting can be invoked via AutoDR or standalone with custom configs and schedulers.

List Available Hunts

python autodr.py --list-hunts

Run Specific Hunt

python autodr.py hunt dns_tunneling

Use Custom Config

python threat_hunter.py -c /path/to/custom_config.json

Scheduling

Using Cron (Linux/Mac)

# Run every 4 hours
0 */4 * * * /path/to/venv/bin/python /path/to/threat_hunter.py >> /var/log/autohunt.log 2>&1

IOC Types Extracted

Type Pattern Example
IPv4 Standard IP format 192.168.1.1
IPv6 Full IPv6 format 2001:0db8:...
Domain FQDN pattern evil.com
URL HTTP/HTTPS URLs http://evil.com/malware
MD5 32 hex chars d41d8cd98f00b204e9800998ecf8427e
SHA1 40 hex chars da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 64 hex chars e3b0c44298fc1c149afbf4c8996fb924...
Email Email format attacker@evil.com
CVE CVE identifier CVE-2024-1234
Bitcoin BTC address 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Acknowledgments

About

Automated ML Threat Hunting Routines Repository. Automated threat hunting can be invoked via AutoDR or standalone with custom configs and schedulers.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages