73 lines
1.6 KiB
Markdown
73 lines
1.6 KiB
Markdown
# ThreatHunter
|
||
|
||
ThreatHunter is a **SIEM‑lite security visibility tool** built for small and mid‑sized businesses.
|
||
|
||
It focuses on one simple question:
|
||
|
||
> *“What suspicious outbound connections are my computers making?”*
|
||
|
||
Without:
|
||
- Heavy agents
|
||
- Constant data streaming
|
||
- Enterprise SIEM complexity
|
||
|
||
---
|
||
|
||
## What ThreatHunter Does
|
||
|
||
- Collects Windows Firewall / WFP connection events
|
||
- Detects connections to known‑bad IPs using reputation data
|
||
- Processes data **locally on the endpoint**
|
||
- Uploads only confirmed security hits
|
||
- Automatically creates **Security alerts in Syncro**
|
||
- Provides a clean web UI for technicians and customers
|
||
|
||
---
|
||
|
||
## Why It Exists
|
||
|
||
Most SMBs:
|
||
- Have no visibility into outbound traffic
|
||
- Can’t justify a full SIEM or EDR
|
||
- Still want to *see the crazy stuff* touching their machines
|
||
|
||
ThreatHunter is designed to be:
|
||
- Free or low‑cost
|
||
- Easy to deploy via Syncro
|
||
- Useful as both a security tool and an educational aid
|
||
|
||
---
|
||
|
||
## Architecture Overview
|
||
|
||
**Endpoint**
|
||
- PowerShell script
|
||
- Runs on a schedule via Syncro
|
||
- Buffers and correlates locally
|
||
- Hashes executables only on suspicious hits
|
||
|
||
**Server**
|
||
- VPS‑hosted API + database
|
||
- Receives hit data
|
||
- Creates Syncro Security tickets
|
||
- Hosts ThreatHunter web portal
|
||
|
||
---
|
||
|
||
## Status
|
||
|
||
🚧 Early development / v1 build phase
|
||
|
||
See `project.md` for full technical and architectural details.
|
||
|
||
---
|
||
|
||
## Disclaimer
|
||
|
||
ThreatHunter is **not** a replacement for:
|
||
- EDR
|
||
- Full SIEM
|
||
- IDS/IPS
|
||
|
||
It is a **visibility and awareness tool** designed to surface suspicious behavior early and guide next steps.
|