Kestrel Threat Hunting Language

Hunt faster, easier, and with more fun!

Kestrel threat hunting language provides an abstraction for threat hunters to focus on the high-value and composable threat hypothesis development instead of specific realization of hypothesis testing with heterogeneous data sources, threat intelligence, and public or proprietary analytics.

• What is Kestrel?
  • Cyberthreat Hunting
  • Do Not Repeat Yourself
  • Two Types of Questions
  • Human + Machine
  • Kestrel in a Nutshell
  • Architecture
• Threat Hunting Tutorial
  • Hello World Hunt
  • Kestrel + Jupyter
  • Hunting On Real-World Data
  • Knowing Your Variables
  • Connecting Hunt Steps
  • Applying an Analytics
  • Forking and Merging Hunt Flows
  • More About The Language
• Installation
  • Operating Systems
  • Requirements
  • Runtime Installation
  • Front-Ends Installation
  • Kestrel in Action
  • Optional: Kestrel Analytics
• Language Specification
  • Basic Terminology
  • Key Concepts
  • Kestrel Variable
  • Kestrel Command
  • Comment
  • Data Source And Analytics Interfaces
• Configuration
  • Default Kestrel Configuration
  • Example of User-Defined Configurations
• Debug
  • Kestrel Errors
  • Enable Debug Mode
  • Add Your Own Log Entry
• Runtime API
  • Kestrel Session
  • Kestrel Exceptions
  • Kestrel Data Source Interface
  • Kestrel Data Source ReturnStruct
  • STIX Shifter Data Source Interface
  • Kestrel Analytics Interface
  • Docker Analytics Interface
  • Python Analytics Interface
• Theory Behind Kestrel
  • Threat Intelligence Computing
  • Theory And Reality
  • Acknowledgment
  • References
• Contributing
  • Types of Contributions
  • Code Style
  • Development Workflow
  • Pull Request Guidelines
• Credits
  • Development Leads
  • Contributors

Indices and tables

• Index

• Module Index

• Search Page