cnicholas
/
ThreatHunter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1 Commit
1 Branch
0 Tags
24 KiB
Markdown 100%
 
Go to file
cnicholas 0fbee0dd7e Upload files to "/" 2025-12-13 01:03:50 +00:00
README.md Upload files to "/" 2025-12-13 01:03:50 +00:00
project.md Upload files to "/" 2025-12-13 01:03:50 +00:00

README.md

ThreatHunter

ThreatHunter is a SIEMlite security visibility tool built for small and midsized businesses.

It focuses on one simple question:

“What suspicious outbound connections are my computers making?”

Without:

  • Heavy agents
  • Constant data streaming
  • Enterprise SIEM complexity

What ThreatHunter Does

  • Collects Windows Firewall / WFP connection events
  • Detects connections to knownbad IPs using reputation data
  • Processes data locally on the endpoint
  • Uploads only confirmed security hits
  • Automatically creates Security alerts in Syncro
  • Provides a clean web UI for technicians and customers

Why It Exists

Most SMBs:

  • Have no visibility into outbound traffic
  • Cant justify a full SIEM or EDR
  • Still want to see the crazy stuff touching their machines

ThreatHunter is designed to be:

  • Free or lowcost
  • Easy to deploy via Syncro
  • Useful as both a security tool and an educational aid

Architecture Overview

Endpoint

  • PowerShell script
  • Runs on a schedule via Syncro
  • Buffers and correlates locally
  • Hashes executables only on suspicious hits

Server

  • VPShosted API + database
  • Receives hit data
  • Creates Syncro Security tickets
  • Hosts ThreatHunter web portal

Status

🚧 Early development / v1 build phase

See project.md for full technical and architectural details.

Disclaimer

ThreatHunter is not a replacement for:

  • EDR
  • Full SIEM
  • IDS/IPS

It is a visibility and awareness tool designed to surface suspicious behavior early and guide next steps.