A network threat hunting reference covering eight MITRE ATT&CK tactics across the intrusion lifecycle. Every indicator includes paste-ready query syntax for Arkime and Kibana (KQL) queries/filters and Suricata rules, plus operational notes and APT attribution context.
Use the Air-gapped / Connected toggle in each page header to set your environment; it changes how off-network indicators are presented (see tripwires card).
Starred indicators persist across browser restarts and sync across open tabs in real-time. Hunts are stored in localStorage under the key hunt_reference_hunts_v1; nothing leaves the browser.
Each export comes pre-formatted as a CMS-ready hunt package with timestamps, technique IDs, query syntax, and notes for easy import into TheHive.
Ordering is chronological so the export reads as a hunt timeline.
Indicators that detect traffic leaving your network (outbound to external infrastructure, cloud storage, paste sites, Tor, etc.) are marked with a ⚠ in Air-gapped mode.
Air-gapped mode: these are tripwires - they should never fire. A hit means a likely air-gap violation (USB tether, rogue cellular modem, vendor laptop bridging, supply-chain implant). Escalate.
Connected mode: the same indicators are normal detection targets - outbound C2, exfil, and beaconing are exactly what you hunt. The ⚠ marker is removed and the escalation framing drops out.
Flip between the two with the header toggle.
Variables (prefix $) are placeholders. Map to your environment before running.
Network zones: $MPNET, $EXTERNAL, $DMZ.
VLANs: $WORKSTATIONS, $ADMIN, $MGMT, etc. Generic names - map to your deployment's actual VLAN IDs and document in your hunt log.
Per-division VLANs: in environments with separate VLANs per workstation pool (engineering, HR, mission cells), use the _2, _3 suffix convention and update relevant indicators to cross-VLAN flow detection.
Asset roles: $DOMAIN_CONTROLLERS, $FILE_SERVERS, $DNS_SERVERS, etc. Same _2, _3 convention for multi-VLAN (e.g. $DC_2, $FILE_SERVERS_2).
Allowlists: $ALLOWED_* prefix denotes operator-maintained lists of expected/sanctioned activity (e.g. $ALLOWED_UPDATE_SOURCES, $ALLOWED_VENDOR_INFRA, $ALLOWED_SMB_CLIENTS).
External tripwire variables: $EXTERNAL_* prefix. In air-gapped mode the indicators referencing them are tripwires; in connected mode they are normal detection targets.
Operator-fill placeholders: tokens shown like <YOUR_DOMAIN> in queries are values the operator must replace before running.
The search-bar expression syntax used in this reference is one of several Arkime surfaces. Many detections that look like "find bursts" or "find fan-out" require pivoting into Arkime's aggregation views after the initial query.
Sessions view: the default flat list of session records matching your query. Best for one-off lookups and small result sets.
SPIView: aggregates the result set by any field, showing unique values and counts. Best for "find the source IP making the most distinct destinations" or "find which URI is most frequent." This is where scoping actually surfaces detections. Run the candidate query, open SPIView, sort by unique count on the field of interest.
SPIGraph: visualizes session counts as a time series per node. Good for spotting periodic patterns (beaconing), unusual time-of-day activity, and bursts as visual spikes.
Numeric thresholds in queries (> 60s, > 100MB, > 50 packets) are starting points calibrated for typical environments. Tune against MPNET's normal baseline.
What counts as "anomalous" in a 50-host SCIF differs from a 500-host environment.
Before treating any indicator as a production rule: run it against your baseline traffic, look at the false-positive rate, then adjust the threshold up or down. The values shipped here are intentionally conservative-but-loose; expect to tighten.