Threat Hunting Preset

A lightweight stack optimized for proactive threat hunting — Elastic for search and correlation, Caldera to generate realistic attack telemetry, and Grafana for infrastructure visibility.

Deploys in approximately 10 minutes. Estimated cost is $0.80–$1.20/hour on GCP (us-east1). Caldera and Elastic are pre-wired — Caldera agent traffic flows into Elastic indexes automatically.

Included tools

Elastic Stack

SIEM

Central hunting platform — KQL queries, timeline investigations, and detection rules

MITRE Caldera

Red Team

Generate ATT&CK-mapped attack telemetry to hunt against

Grafana + Prometheus

Monitoring

Environment health and resource utilization dashboards

Use cases

KQL practice

Write and test Elastic KQL queries against realistic ATT&CK telemetry

Detection rule development

Build and validate Elastic detection rules with known-bad activity

ATT&CK coverage mapping

Identify gaps in your detection coverage using Caldera technique runs

Training exercises

Hunt for specific techniques with Caldera-generated ground truth

✓

Want a full SOC stack instead? See the SOC Platform preset which adds Wazuh, TheHive, n8n, and Shuffle SOAR on top of this stack.

SOC Platform PresetRead article →IR / DFIR Lab PresetRead article →MITRE CalderaRead article →