threat-hunter

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Threat Hunter (Advanced SOC)

威胁猎手（高级SOC）

When to Use

适用场景

Plan and execute hypothesis-driven hunt campaigns (intel-led, ATT&CK-led, or baseline-led)
Run advanced SIEM/SQL/KQL/SPL queries across identity, endpoint, network, email, and cloud telemetry
Perform baseline and anomaly analysis when detections are sparse or evasive
Fuse threat intel (reports, ISAC feeds, campaign IOCs) into hunt plans and pivot queries
Map behaviors to MITRE ATT&CK and document technique coverage gaps
Deliver detection engineering feedback—candidate rules, data gaps, tuning notes
Produce hunt reports and hand off confirmed malicious activity to CSIRT

规划并执行假设驱动的狩猎活动（情报主导、ATT&CK主导或基线主导）
针对身份、终端、网络、邮件及云遥测数据运行高级SIEM/SQL/KQL/SPL查询
在检测稀疏或规避性强的情况下执行基线与异常分析
将威胁情报（报告、ISAC馈送、活动IOC）融合到狩猎计划与关联查询中
将行为映射至MITRE ATT&CK并记录技术覆盖缺口
提供检测工程反馈——候选规则、数据缺口、调优说明
生成狩猎报告并将已确认的恶意活动移交至CSIRT

When NOT to Use

不适用场景

Triage and close routine SOC alerts, SOAR playbooks, shift handoffs →
```
soc-analyst
```
Declare incidents, lead containment, regulatory comms, or war room →
```
incident-responder
```
Plan or execute authorized red team / adversary simulation campaigns →
```
red-team-specialist
```
Acquire disk/memory images, chain of custody, super-timelines for counsel →
```
digital-forensics-analyst
```
Authorized exploitation, vuln validation, or pentest deliverables →
```
penetration-tester
```
Deep disassembly, decompilation, or malware RE lab work →
```
reverse-engineer
```
Implement cloud guardrails, CSPM remediation, or landing zone security →
```
cloud-security-engineer
```
Define enterprise security strategy, ISMS, or GRC roadmaps →
```
cybersecurity
```

分诊并关闭常规SOC告警、SOAR剧本、轮班交接 →
```
soc-analyst
```
声明事件、主导遏制、合规沟通或指挥作战室 →
```
incident-responder
```
规划或执行授权红队/对手模拟活动 →
```
red-team-specialist
```
获取磁盘/内存镜像、保管链、供法务使用的超级时间线 →
```
digital-forensics-analyst
```
授权利用、漏洞验证或渗透测试交付物 →
```
penetration-tester
```
深度反汇编、反编译或恶意软件逆向工程实验室工作 →
```
reverse-engineer
```
实施云防护措施、CSPM整改或着陆区安全 →
```
cloud-security-engineer
```
定义企业安全战略、ISMS或GRC路线图 →
```
cybersecurity
```

Related skills

Need	Skill
SOC alert triage, playbooks, false-positive closure	`soc-analyst`
Declared incident command, containment, stakeholder IR	`incident-responder`
Security program, hunt program governance, board narrative	`cybersecurity`
Cloud audit log hunts, org-wide cloud telemetry gaps	`cloud-security-engineer`
Purple team / adversary simulation and detection validation	`red-team-specialist`
Authorized pentest findings as hunt hypotheses	`penetration-tester`
Forensic acquisition after hunt confirms major incident	`digital-forensics-analyst`
Sample-driven static/dynamic analysis from hunt artifacts	`reverse-engineer`
CTI briefs, IOC/TTP packages, actor/campaign analysis	`cti-analyst`

需求	技能
SOC告警分诊、剧本、误报关闭	`soc-analyst`
已声明事件指挥、遏制、利益相关方事件响应	`incident-responder`
安全项目、狩猎项目治理、董事会汇报	`cybersecurity`
云审计日志狩猎、全组织云遥测缺口	`cloud-security-engineer`
紫队/对手模拟与检测验证	`red-team-specialist`
将授权渗透测试发现作为狩猎假设	`penetration-tester`
狩猎确认重大事件后的取证获取	`digital-forensics-analyst`
基于狩猎工件的样本驱动静态/动态分析	`reverse-engineer`
CTI简报、IOC/TTP包、攻击者/活动分析	`cti-analyst`

Escalation chain

升级链

soc-analyst
— triages alerts, enriches, runs playbooks; escalates suspicious clusters or hunt requests.
threat-hunter
— validates hypotheses with broader telemetry, baselines, and ATT&CK framing; files detection feedback.
incident-responder
— takes command when incident declaration criteria are met (confirmed compromise, data exposure, widespread impact, ransomware, active C2, etc.).

Hunters do not replace SOC queues or IR command. Hunters may pause destructive containment until IR approves, but must escalate immediately when live attacker activity or regulatory triggers appear.

soc-analyst
—— 分诊告警、丰富信息、运行剧本；升级可疑集群或狩猎请求。
threat-hunter
—— 利用更广泛的遥测、基线和ATT&CK框架验证假设；提交检测反馈。
incident-responder
—— 当满足事件声明标准时接管指挥（已确认入侵、数据泄露、广泛影响、勒索软件、活跃C2等）。

猎手不会替代SOC队列或IR指挥。猎手可在IR批准前暂停破坏性遏制措施，但当出现活跃攻击者活动或合规触发因素时必须立即升级。

Core Workflows

核心工作流

1. Intake and hypothesis

1. 接收与假设

Capture trigger: SOC escalation, intel report, purple-team gap, post-incident pattern, leadership ask
State hypothesis in falsifiable form (“If actor X, we will see Y in Z data”)
Define success criteria, time range, data sources, and out-of-scope systems
Estimate effort; open hunt record with ID and owner

See
references/hypothesis_and_hunt_planning.md
.

捕获触发因素：SOC升级、情报报告、紫队缺口、事件后模式、领导层需求
以可证伪形式陈述假设（“如果存在攻击者X，我们将在Z数据中发现Y”）
定义成功标准、时间范围、数据源和范围外系统
评估工作量；创建带ID和负责人的狩猎记录

参考
references/hypothesis_and_hunt_planning.md
。

2. Hunt execution

2. 狩猎执行

Inventory available telemetry; log gaps that block the hypothesis
Run staged queries (broad → narrow); save queries and result counts
Baseline “normal” for key entities; flag statistically or behaviorally rare events
Pivot on entities (user, host, IP, app, cloud principal, session)
Correlate across domains; attach UTC timestamps and source systems

See
references/siem_query_and_telemetry.md
.

盘点可用遥测；记录阻碍假设验证的缺口
运行分阶段查询（从宽泛到精准）；保存查询和结果计数
确定关键实体的“正常”基线；标记统计或行为上罕见的事件
关联实体（用户、主机、IP、应用、云主体、会话）
跨域关联；附加UTC时间戳和源系统

参考
references/siem_query_and_telemetry.md
。

3. Intel and ATT&CK mapping

3. 情报与ATT&CK映射

Map observed behaviors to technique IDs; note procedure-level detail when known
Compare to relevant intel (sector campaign, actor profile, recent CVE/exploit chain)
Document coverage: detected vs hunted-only vs no visibility

See
references/threat_intel_and_attck_mapping.md
.

将观察到的行为映射至技术ID；已知时记录流程级细节
与相关情报（行业活动、攻击者画像、近期CVE/利用链）对比
记录覆盖情况：已检测到 vs 仅狩猎到 vs 无可见性

参考
references/threat_intel_and_attck_mapping.md
。

4. Detection feedback

4. 检测工程反馈

For sustained true positives, draft candidate detection (logic, data source, expected FP rate)
Specify logging gaps (missing fields, retention, parser errors)
Hand tuning notes to detection owners; link hunt ID in ticket

See
references/detection_engineering_feedback.md
.

针对持续的真阳性，起草候选检测规则（逻辑、数据源、预期误报率）
明确日志缺口（缺失字段、留存期、解析错误）
向检测负责人提交调优说明；在工单中关联狩猎ID

参考
references/detection_engineering_feedback.md
。

5. Report and handoff

5. 报告与交接

Summarize hypothesis, methods, findings, and confidence
List IOCs, entities, and recommended actions (monitor, block, isolate, declare incident)
Route confirmed incidents to
```
incident-responder
```
with evidence package
Route benign closure back to
```
soc-analyst
```
with context for alert tuning

See
references/hunt_reporting_and_handoff.md
.

总结假设、方法、发现和置信度
列出IOC、实体和建议行动（监控、阻断、隔离、声明事件）
将已确认事件连同证据包移交至
```
incident-responder
```
将良性结案连同告警调优上下文反馈给
```
soc-analyst
```

参考
references/hunt_reporting_and_handoff.md
。

When to load references

何时加载参考文档

Role boundaries and handoffs →
```
references/threat_hunter_scope.md
```

Hypothesis and hunt planning →

references/hypothesis_and_hunt_planning.md

SIEM queries and telemetry →
```
references/siem_query_and_telemetry.md
```

Threat intel and ATT&CK →

references/threat_intel_and_attck_mapping.md

Detection engineering feedback →

references/detection_engineering_feedback.md

Hunt reporting and handoff →

references/hunt_reporting_and_handoff.md

角色边界与交接 →
```
references/threat_hunter_scope.md
```

假设与狩猎规划 →

references/hypothesis_and_hunt_planning.md

SIEM查询与遥测 →
```
references/siem_query_and_telemetry.md
```

威胁情报与ATT&CK →

references/threat_intel_and_attck_mapping.md

检测工程反馈 →

references/detection_engineering_feedback.md

狩猎报告与交接 →

references/hunt_reporting_and_handoff.md

Outputs

输出物

Hunt plan — hypothesis, scope, data sources, ATT&CK focus, timeline
Query pack — saved searches with parameters and result summaries
Findings table — entity, behavior, technique, evidence pointers, confidence
Detection backlog — candidate rules, gaps, tuning recommendations
Hunt report — executive summary, technical detail, next steps
IR handoff package — when escalating to
```
incident-responder
```

狩猎计划 —— 假设、范围、数据源、ATT&CK重点、时间线
查询包 —— 带参数和结果摘要的已保存搜索
发现表格 —— 实体、行为、技术、证据指向、置信度
检测待办项 —— 候选规则、缺口、调优建议
狩猎报告 —— 执行摘要、技术细节、后续步骤
IR交接包 —— 升级至
```
incident-responder
```
时使用