Threat Hunting · 16 articles

Threat Hunting

SIEM use-cases, detection rules, MITRE ATT&CK hunting techniques.

Blue Team

SIGINT for Defenders: Network Telemetry as Threat Intelligence

Defensive SIGINT — DNS DGA detection, DNS tunneling, beacon detection, exfiltration sizing, newly-registered domain queries. Splunk/SQL examples plus the Zeek + RITA…

Apr 25, 2026 · 3 min read
Blue Team

Detecting C2 Traffic from Network Telemetry: The Layered Approach

C2 detection from network telemetry — beaconing analysis with RITA, JA3/JA4 fingerprinting, DNS analytics for tunneling and DGA, HTTP/HTTPS anomalies, threat-intel destination…

Apr 25, 2026 · 3 min read
Blue Team

YARA Rules: Writing Detection Logic That Works

YARA syntax, effective rule patterns (combining weak signals, file-format anchors, PE module), public rule sources (signature-base, SigmaHQ), deployment across endpoint EDR, email…

Apr 25, 2026 · 2 min read
Blue Team

Building a Threat-Led Programme with MITRE ATT&CK

MITRE ATT&CK beyond marketing — pick relevant techniques from threat intel, map detection coverage, validate with Atomic Red Team and Caldera, operationalise…

Apr 25, 2026 · 3 min read
Blue Team

Sigma Rules: Vendor-Agnostic Detection in 2026

Sigma is the YAML detection-rule format that compiles to any SIEM. Rule structure, public repositories (SigmaHQ, signature-base), conversion workflow with pySigma, deployment…

Apr 25, 2026 · 3 min read
Blue Team

7 SIEM Rules That Actually Catch Lateral Movement (Splunk, Elastic, Sigma)

Average dwell time before detection in Indian enterprise environments: 14 to 42 days, mostly spent on lateral movement. Seven specific, tunable SIEM…

Apr 25, 2026 · 6 min read