Skip to main content

Kestrel Threat Hunting Language

Project description

Kestrel Threat Hunting Language

Documentation Status Latest Version PyPI Downloads Code Coverage Code Style: Black


Kestrel is a threat hunting language aiming to make cyber threat hunting fast by providing a layer of abstraction to build reusable, composable, and shareable hunt-flow. Starting with:

  1. Black Hat USA 2022 session recording

  2. Black Hat USA 2022 Kestrel hunting lab

  3. Kestrel live tutorial in a cloud sandbox

The Goal

Software developers write Python or Swift than machine code to quickly turn business logic into applications. Threat hunters write Kestrel to quickly turn threat hypotheses into hunt-flow. We see threat hunting as an interactive procedure to create customized intrusion detection systems on the fly, and hunt-flow is to hunts as control-flow is to ordinary programs.

What does it mean by hunt fast?

  • Do NOT write the same IoB pattern in different data source queries.

  • Do NOT write one-time-use adapaters to connect hunt steps.

  • Do NOT waste your existing analytic scripts/programs in future hunts.

  • Do construct your hunt-flow from smaller reuseable hunt-flow.

  • Do share your huntbook with your future self and your colleagues.

  • Do get interactive feedback and revise hunt-flow on the fly.


Kestrel Hunting Demo

Kestrel in a Nutshell

Kestrel overview.
  • Kestrel language: a threat hunting language for a human to express what to hunt.

    • expressing the knowledge of what in patterns, analytics, and hunt flows.

    • composing reusable hunting flows from individual hunting steps.

    • reasoning with human-friendly entity-based data representation abstraction.

    • thinking across heterogeneous data and threat intelligence sources.

    • applying existing public and proprietary detection logic as analytic hunt steps.

    • reusing and sharing individual hunting steps, hunt-flow, and entire huntbooks.

  • Kestrel runtime: a machine interpreter that deals with how to hunt.

    • compiling the what against specific hunting platform instructions.

    • executing the compiled code locally and remotely.

    • assembling raw logs and records into entities for entity-based reasoning.

    • caching intermediate data and related records for fast response.

    • prefetching related logs and records for link construction between entities.

    • defining extensible interfaces for data sources and analytics execution.

Basic Concepts and Howto

Visit Kestrel documentation to learn Kestrel:

Kestrel Huntbooks And Analytics

Kestrel Hunting Blogs

  1. Building a Huntbook to Discover Persistent Threats from Scheduled Windows Tasks

  2. Practicing Backward And Forward Tracking Hunts on A Windows Host

  3. Building Your Own Kestrel Analytics and Sharing With the Community

  4. Setting Up The Open Hunting Stack in Hybrid Cloud With Kestrel and SysFlow

  5. Try Kestrel in a Cloud Sandbox

  6. Fun with securitydatasets.com and the Kestrel PowerShell Deobfuscator

  7. Kestrel Data Retrieval Explained

Talks And Demos

Talk summary (visit Kestrel documentation on talks to learn details):

Connecting With The Community

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kestrel_core-1.8.2.tar.gz (71.2 kB view details)

Uploaded Source

Built Distribution

kestrel_core-1.8.2-py3-none-any.whl (61.7 kB view details)

Uploaded Python 3

File details

Details for the file kestrel_core-1.8.2.tar.gz.

File metadata

  • Download URL: kestrel_core-1.8.2.tar.gz
  • Upload date:
  • Size: 71.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.10.14

File hashes

Hashes for kestrel_core-1.8.2.tar.gz
Algorithm Hash digest
SHA256 dc43d9cefbc33afd7876c5c3e97b527bec1dc13c64f1ffd49ce246aac3674e5b
MD5 4209e2d5a49a932429a4e2d6fcd7dc6c
BLAKE2b-256 dbd6e205dc5871112157424cecbb828a2fa06f5a8c1a3c180a8f54ae8dda02f5

See more details on using hashes here.

File details

Details for the file kestrel_core-1.8.2-py3-none-any.whl.

File metadata

  • Download URL: kestrel_core-1.8.2-py3-none-any.whl
  • Upload date:
  • Size: 61.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.10.14

File hashes

Hashes for kestrel_core-1.8.2-py3-none-any.whl
Algorithm Hash digest
SHA256 6e35dde470c6489f8aff1abebdda8b4f061f99b7aeb7a8bce6985dc7bf06f76d
MD5 2e317c47fb91f1447bebbe63392596a3
BLAKE2b-256 62e95e171664e630d38cf13be430c8bf78d497fd63319ad934ca0a734090991b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page