APT Falconer

APT Falconer is a production-ready, Splunk-native threat hunting workbench that helps analysts move from suspicious entities to structured investigations. Falconer connects entity pivots, managed signals, hunts, analyst notes, MITRE ATT&CK-aligned workflows, local intelligence, suppression review, and conclusions into one operational workflow. Analysts can right-click IPs, users, hosts, processes, domains, files, hashes, URLs, and other values to launch focused searches, open host or network workflows, enrich indicators, create signals, seed hunts, suppress known noise, review MITRE context, or open Story Workbench. Key capabilities include: • Falconer Home - a central analyst starting point for active signals, open hunts, recent conclusions, and suppression review. • Right-click investigation workflow - turn dashboard entities into immediate pivots for search, enrichment, signal creation, hunt workflows, MITRE views, and Story Workbench. • No-code Context Actions Manager - create and maintain right-click actions by defining labels, field mappings, target URLs, REST targets, regex matching, groups, ordering, and view-specific behavior from the UI. • Signals and hunts - convert interesting entities into managed signals, group related signals into hunts, and track investigation status over time. • Story Workbench - capture related signals, notes, confidence, disposition, summaries, supporting context, and final conclusions. • MITRE-aligned hunt workflows - use focused host, network, stealth, credential access, persistence, lateral movement, command and control, collection, exfiltration, heatmap, and coverage views to guide analyst reasoning. • Intel Detection Builder - stage, review, enrich, and publish locally managed intelligence into lookup-based detection workflows. • Production access control - use dedicated Falconer capabilities such as falconer_admin, falconer_context, falconer_signal, falconer_view_write, and falconer_allowlist_approve to separate analyst workflows from administrative control. APT Falconer is built for security teams that want to reduce context switching, preserve analyst reasoning, standardize investigation pivots, and operationalize threat hunting inside Splunk.