Autonomous Threat Hunting Using Graph-Based Entity Relationships and MITRE ATT&CK Mapping

Abstract

Manual threat hunting is time-consuming and reactive, often limited by static correlation
rules in traditional SIEMs. To address these limitations, this paper proposes a graph-based
approach that autonomously identifies attack patterns by modeling relationships among users,
processes, hosts, and network events. Using telemetry from Windows Event Logs, sysmon,
VPN records, and endpoint agents, we construct a time-aware entity-relationship graph
enriched with behavioral tags and mapped to MITRE ATT&CK techniques. Graph traversal
and subgraph isomorphism are used to detect patterns consistent with tactics such as lateral
movement, persistence, and privilege escalation. Evaluated on a 5TB dataset from an
enterprise SOC spanning six months, the system detected 35% more stealthy attack
sequences compared to rule-based detection alone. It also surfaced 18 previously undetected
lateral movement attempts. Integration with a SIEM is achieved via enrichment APIs,
allowing security analysts to visualize and explore contextual threat paths. The system
supports scoring threat clusters using graph centrality and anomaly metrics, enabling
prioritization. While the approach introduces processing overhead and requires entity
normalization across log types, it significantly enhances detection depth and correlation
quality. The study concludes that graph-based modeling, when combined with threat
intelligence and behavioral analytics, provides a scalable framework for proactive,
autonomous threat hunting in modern enterprise environments.