Threat Hunting

Move from “what's the dashboard tell me” to “does this specific behavior exist in this capture?” Hunt workspaces hold a hypothesis, queries, evidence, and notes — and survive across sessions.

Concepts

• Hunt — a hypothesis-driven workspace (e.g. “Is there C2 to a Tor exit node?”)
• Query — a filter expression evaluated against the session’s flow / packet / DNS / TLS / HTTP tables
• Saved hunt — a hunt template that runs automatically on every new session
• Evidence — pinned items (packets, hosts, files) attached to a hunt
• Verdict — the analyst’s conclusion (true positive, false positive, inconclusive, needs more data)

Starting a hunt

1. Open Hunts view (Ctrl/Cmd + 6).
2. Click New hunt. Enter a hypothesis (one sentence).
3. Choose a starting playbook (or skip with Custom).
4. Add queries, run them, pin evidence.
5. Set verdict and add notes.

Built-in playbooks

Each playbook is a step-by-step query template, with prompts at each step:

• C2 beacon discovery — periodic outbound flows to rare external IPs
• DNS tunneling — high-entropy subdomains, NULL/TXT abuse
• Lateral movement — SMB/RDP/WinRM between internal hosts
• Data exfiltration — large outbound transfers, off-hours uploads
• Credential theft — cleartext creds, Kerberoasting patterns, Mimikatz signatures
• Port scanning — horizontal vs vertical scan classification
• Covert channels — ICMP/DNS data tunnels, protocol smuggling

Query builder

The query builder is a structured filter UI on top of the same Wireshark-compatible syntax used in DPI. Examples:

Find DNS queries with high-entropy subdomains

dns.qry.name matches "[a-z0-9]{30,}\\." and dns.qry.type == "TXT"

Find new outbound flows to non-standard ports

flow.direction == "outbound"
  and not flow.dst_port in (80, 443, 53, 22)
  and flow.bytes_out > 100000

Find HTTPS to certificates with mismatched SNI

tls.handshake.extension.type == "server_name"
  and tls.handshake.certificate.subject.CN != tls.handshake.extension.server_name

Find SMB writes to admin shares

smb.cmd == "Write"
  and smb.path matches "\\\\\\\\.*\\\\(C\\$|ADMIN\\$)"

Pinning evidence

Right-click any row in DPI / Network Map / Timeline / Flows and choose Pin to hunt. The pinned item appears in the hunt’s evidence panel with timestamp and a back-link.

Saved hunts

Promote a hunt to a saved hunt from the hunt menu. Saved hunts run automatically as part of stage 23 (threat_hunt) on every new session, surfacing matches as alerts in the Alerts view. This is how organizations turn one-off investigations into repeatable detection coverage.

Sharing hunts

Pro+: export a hunt as JSON. The export includes the hypothesis, queries, evidence pointers, and verdict. Import in another instance of Intreys to reproduce the investigation.

Team and Enterprise / MSSP: hunts are part of case-management and shared in real time across collaborators.

Tips

• Start with a narrow hypothesis. “Is anyone tunneling DNS to example.com?” is better than “Is anything suspicious going on?”.
• Use compare mode to diff two captures — useful for “what changed today vs. yesterday?”
• Build saved hunts incrementally. Start with one query and tighten over multiple sessions.