Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Threat Hunt

Documentation

Threat Hunt

Project-Agent / library/workflows/threat-hunt/README.md

Project-Agent repo-root library/workflows/threat-hunt/README.md

Runs Splunk saved searches for threat indicators, correlates hits with CrowdStrike host and detection data, and creates Microsoft Sentinel incidents for confirmed threats.

Maturity: L3-4 (Enforced to Governed)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~4 hours per threat hunt of manual cross-tool correlation.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Splunk | search:execute | Low — read-only queries | | CrowdStrike | hosts:read, detections:read | Low — read-only | | Sentinel | incidents:create | Medium — creates SOC incidents |

How It Works

  1. Execute predefined Splunk threat hunting searches.
  2. For each hit, correlate the host with CrowdStrike data.
  3. Check for existing CrowdStrike detections on the same host.
  4. If threat indicators are confirmed, create a Sentinel incident.
  5. Post a hunt summary to Slack.

ARX Governance

Risk Classification

  • search:execute (Splunk) — Low. Read-only search execution.
  • hosts:read, detections:read (CrowdStrike) — Low. Read-only correlation.
  • incidents:create (Sentinel) — Medium. Creates incidents that trigger SOC workflows.

HITL Gate Configuration

  • No HITL gate by default. Sentinel incident creation is informational.
  • Optional: enable HITL gate on incidents:create for high-fidelity environments

by setting hitl.sentinel_create: true in arx.yaml.

Policy Rules

  • search:executepermit — automated, no approval needed.
  • hosts:read, detections:readpermit — automated correlation.
  • incidents:createpermit (default) or escalate (if HITL enabled).

Audit Trail

  • Splunk search IDs, result counts, and matched indicators.
  • CrowdStrike host IDs and detection IDs correlated per hunt.
  • Sentinel incident IDs created with severity and classification.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Configure Splunk, CrowdStrike, and Sentinel connectors.
  2. Set environment variables:
  • SPLUNK_URL, SPLUNK_TOKEN
  • CS_CLIENT_ID, CS_CLIENT_SECRET
  • SENTINEL_TENANT_ID, SENTINEL_CLIENT_ID, SENTINEL_CLIENT_SECRET
  • SENTINEL_WORKSPACE_ID
  • SLACK_BOT_TOKEN, SLACK_HUNT_CHANNEL
  1. Define threat hunting queries in hunt_queries parameter.
  2. Deploy with arx deploy threat-hunt.

Schedule

Runs daily at 02:00 UTC.