# Threat Hunting

Turns out, Turngate is a pretty great product for Threat Hunting. It's fast, easy to use, and you can pivot rapidly through data as you continually test hypothesis. That's cool and all, but what actually is "threat hunting?"

## Threat Hunting Philosophy

Threat Hunting (henceforth just "hunting" b/c that's a lot of letters to type) is sort of the cousin of security investigations.

<figure><img src="/files/OiNTMzDPqVVAd8LYqqYK" alt=""><figcaption></figcaption></figure>

The mindset is largely the same. You (the analyst) has a hypothesis of something that may or may not be occurring and you want to see if it's true. The underlying tooling is often identical, but the initiating event is different.

You may start a hunt because of a new threat that has been announced, you have an upcoming audit, you are doing a periodic review, or even just because you have some spare time.&#x20;

## Threat Hunting Frameworks

While randomly stumbling through your logs and alerts can be fun, it's useful to have some structure to what you're doing. There are a few publicly available frameworks that can help with that.&#x20;

[PEAK Framework (Splunk)](https://www.splunk.com/en_us/blog/security/peak-threat-hunting-framework.html) - Each PEAK hunt follows a three-stage process: Prepare, Execute, and Act. In the Prepare phase, hunters select topics, conduct research, and generally plan out their hunt. The Execute phase involves diving deep into data and analysis, while the Act phase focuses on documentation, automation, and communication.&#x20;

\
[TaHiTI (Targeted Hunting Integrating Threat Intelligence)](https://www.betaalvereniging.nl/en/safety/tahiti/) - This model builds on the Sqrrl model by generating new threat intelligence from hunting activities, which then feeds back into the threat intelligence feed for adversary analysis and hunting exercises

\
[MITRE ATT\&CK](https://attack.mitre.org/) - While not exclusively a hunting framework, MITRE ATT\&CK incorporates hundreds of known adversarial tactics and techniques. It's foundational for hypothesis-driven hunting and many other security frameworks rely on it.

These are great frameworks and regardless if you're casually threat hunting or building a formal program, they're required reading. To that end, we're not going to duplicate them here. Go read them, then come back and learn how to use Turngate to hunt in your SaaS environment.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.turngate.io/detections-and-hunting/threat-hunting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.