Versions Compared

Old Version 7

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.

Click this icon Image Removed in the Hunting button in the top navigation bar to access the Hunting thisarea.

...

Perform a threat hunting

Follow these steps to perform threat hunting:

Rw ui steps macro
Rw step

First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range. 

Image RemovedImage Added
Info

You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.

Rw step

Then, enter the tables you want to search on in the Target tables field. It is possible to search in more than one table, which may be very useful to contrast different information in the same timeline, but also to see the behavior of the same entities in two different sources. 

Rw step

Add the required filter criteria. Open the Filter key dropdown list and select the column where you want to search for data. Open the Filter type dropdown list and select the required one. If you choose a general filter, simply enter the required value in the Filter value box that appears. If you select Lookup, you will be prompted to select the Lookup table you want to search on and the required fields. This can be done across multiple tables and using multiple filters to see results from more than one table. 

Info

Expert mode

While you are defining your filters, you can switch on the Expert mode toggle to see the LINQ query that represents the filters you've defined in the selected tables. You can keep editing the query here, or go back to the normal view switching off the toggle.

Rw step

Once your filter is defined, select the Add button. You can keep on adding as many filters as required before performing the threat hunting. Select Filter to get the results with the filters you applied. Click the entities that appear in the results if you want to keep on filtering the data. Using the clock icon next to the Filter button, you can also see the last queries run, and re-select the filter you need.

...

Expert analysts may want to add the results obtained after a threat hunting queries to an investigation so that other users of the application could check run them. To do it, simply click the Add to investigation button that appears in the Results statistics area after performing the required threat hunting.

...

Rw ui steps macro
Rw step

Click the Alert wizard button at the top right part of the Hunting area.

Image RemovedImage Added
Rw step

Fill in the general information of the new SecOps alert, at the left part of the window:

Field

Description

Name mandatory

Enter the name of the new SecOps alert.

Summary mandatory

A short message used to identify the alert condition. As in the standard Devo alerts, you can include field values associated with the alert using the case-sensitive variable $columnName.

Description mandatory

The full description of the alert condition. As in the standard Devo alerts, you can include field values associated with the alert using the case-sensitive variable $columnName.

Priority

Choose the required alert priority between Critical, High, Medium, Low, and Info.

Type

Choose the type of alert: Analytics, Detection, Observation, or Model.

MITRE Tactics

Select the required MITRE tactic.

MITRE Techniques

Select the required MITRE technique.

Rw step

The next step is adding the required entities to the alert. Click the Add entities button at the right part of the window and select at least one entity type from the list. Then, enter up to 10 values of the selected type separated by a line break. In the capture below, we added the IP entity type and specified 2 different IP addresses.

Image RemovedImage Added

Click Next to go to the next step.

Rw step

In this step, you must select the tables and fields where you want to search the values specified before. Click Add table-field and choose the required table(s) and fields. You must select at least one table and field.

Image RemovedImage Added

Click Next to go to the next step.

Rw step

In this step, you can define filters to be applied in the selected table fields. To do it, click Add field, then select the required field in the Field to include dropdown and choose a Filter type.

Image RemovedImage Added
Info

SecOps Whitelisting

There's a special filter type called Apply SecOps Whitelisting. Apply this filter to check if the values in the specified field are included or not in the SecOps whitelisting lookup.

Click Next to go to the next step.

Rw step

Finally, you'll see a summary including all the selected settings. You can edit each one by clicking the pencil icon next to it. Optionally, you can include geolocation data to your alert by switching on the Geolocation enrich toggle. Before creating the alert, you must click Test query. The system will verify that everything is correct and the query define to run the alert is correct. Once you're done, click Create.

Image RemovedImage Added