1.6 KiB
1.6 KiB
ThreatHunter
ThreatHunter is a SIEM‑lite security visibility tool built for small and mid‑sized businesses.
It focuses on one simple question:
“What suspicious outbound connections are my computers making?”
Without:
- Heavy agents
- Constant data streaming
- Enterprise SIEM complexity
What ThreatHunter Does
- Collects Windows Firewall / WFP connection events
- Detects connections to known‑bad IPs using reputation data
- Processes data locally on the endpoint
- Uploads only confirmed security hits
- Automatically creates Security alerts in Syncro
- Provides a clean web UI for technicians and customers
Why It Exists
Most SMBs:
- Have no visibility into outbound traffic
- Can’t justify a full SIEM or EDR
- Still want to see the crazy stuff touching their machines
ThreatHunter is designed to be:
- Free or low‑cost
- Easy to deploy via Syncro
- Useful as both a security tool and an educational aid
Architecture Overview
Endpoint
- PowerShell script
- Runs on a schedule via Syncro
- Buffers and correlates locally
- Hashes executables only on suspicious hits
Server
- VPS‑hosted API + database
- Receives hit data
- Creates Syncro Security tickets
- Hosts ThreatHunter web portal
Status
🚧 Early development / v1 build phase
See project.md for full technical and architectural details.
Disclaimer
ThreatHunter is not a replacement for:
- EDR
- Full SIEM
- IDS/IPS
It is a visibility and awareness tool designed to surface suspicious behavior early and guide next steps.