Table of Contents | ||||||
---|---|---|---|---|---|---|
|
...
Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.
Click the Hunting button in the top navigation bar to access thisarea.
...
Perform a threat hunting
Follow these steps to perform threat hunting:
Rw ui steps macro | ||||||||
---|---|---|---|---|---|---|---|---|
First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range.
Then, enter the tables you want to search on in the Target tables field. It is possible to search in more than one table, which may be very useful to contrast different information in the same timeline, but also to see the behavior of the same entities in two different sources.
Add the required filter criteria. Open the Filter key dropdown list and select the column where you want to search for data. Open the Filter type dropdown list and select the required one. If you choose a general filter, simply enter the required value in the Filter value box that appears. If you select Lookup, you will be prompted to select the Lookup table you want to search on and the required fields. This can be done across multiple tables and using multiple filters to see results from more than one table.
Once your filter is defined, select the Add button. You can keep on adding as many filters as required before performing the threat hunting. Select Filter to get the results with the filters you applied. Click the entities that appear in the results if you want to keep on filtering the data. Using the clock icon next to the Filter button, you can also see the last queries run, and re-select the filter you need. |
...
Expert analysts may want to add the results obtained after a threat hunting queries to an investigation so that other users of the application could check run them. To do it, simply click the Add to investigation button that appears in the Results statistics area after performing the required threat hunting.
...
Rw ui steps macro | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Click the Alert wizard button at the top right part of the Hunting area.
Fill in the general information of the new SecOps alert, at the left part of the window:
The next step is adding the required entities to the alert. Click the Add entities button at the right part of the window and select at least one entity type from the list. Then, enter up to 10 values of the selected type separated by a line break. In the capture below, we added the IP entity type and specified 2 different IP addresses. Click Next to go to the next step.
In this step, you must select the tables and fields where you want to search the values specified before. Click Add table-field and choose the required table(s) and fields. You must select at least one table and field. Click Next to go to the next step.
In this step, you can define filters to be applied in the selected table fields. To do it, click Add field, then select the required field in the Field to include dropdown and choose a Filter type.
Click Next to go to the next step.
Finally, you'll see a summary including all the selected settings. You can edit each one by clicking the pencil icon next to it. Optionally, you can include geolocation data to your alert by switching on the Geolocation enrich toggle. Before creating the alert, you must click Test query. The system will verify that everything is correct and the query define to run the alert is correct. Once you're done, click Create. |