Threat Hunting

Overview

Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.

Click this icon in the top navigation bar to access the Hunting area.

Perform a threat hunting

Follow these step to perform threat hunting:

First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range.

You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.
Then, enter the tables you want to search on in the Target tables field. It is possible to search in more than one table, which may be very useful to contrast different information in the same timeline, but also to see the behavior of the same entities in two different sources.
Add the required filter criteria. Open the Filter key dropdown list and select the column where you want to search for data. Open the Filter type dropdown list and select the required one. If you choose a general filter, simply enter the required value in the Filter value box that appears. If you select Lookup, you will be prompted to select the Lookup table you want to search on and the required fields. This can be done across multiple tables and using multiple filters to see results from more than one table.
Expert mode

While you are defining your filters, you can switch on the Expert mode toggle to see the LINQ query that represents the filters you've defined in the selected tables. You can keep editing the query here, or go back to the normal view switching off the toggle.
Once your filter is defined, select the Add button. You can keep on adding as many filters as required before performing the threat hunting.
Select Filter to get the results with the filters you applied. Click the entities that appear in the results if you want to keep on filtering the data. Using the clock icon next to the Filter button, you can also see the last queries run, and re-select the filter you need.

Threat hunting results

After performing the threat hunting, the results matching your filters will appear at the bottom of the area. The results are divided into two different areas: Results statistics and Hunting results.

Results statistics

The results of the selected period will be represented in a timeline at the top of the results area, where you can compare graphically the results from the different tables added to the hunting.

Click the table names under the timeline to hide/show the corresponding lines. This will also affect the results shown in the Hunting results area below. You can also zoom in to a specific time range in the graph by dragging your mouse over the timeline. This action will also show the corresponding results below. Click Restore zoom to go back to the default zoom.

Hunting results

Events obtained when performing a search are ordered by time. It does not matter if there are two or more results statistics (two or more filters); you will only see the events that resulted from the last search.

If you want to see results from a specific table only, you only have to click the required table under the Results statistics. If you want to add more filters from the hunting results, simply click the required fields in the results to keep on adding new filters.

Add the results of a hunt to an investigation

Expert analysts may want to add the results obtained after a threat hunting to an investigation so that other users of the application could check them. To do it, simply click the Add to investigation button that appears in the Results statistics area after performing the required threat hunting.

Executing query hunting from the Investigation and Triage areas

It is possible to execute queries automatically when performing threat hunting.

We already know how to generate queries in the Hunting area after applying some filters and then add them to an investigation. However, it is also possible to execute these queries from an investigation. Going back to the Investigation area, open the details of the required investigation, and access the Queries area in the Evidence tab. Then, click the Run query button next to the required query.

You will be taken to the Hunting area. The selected query will be added to the Expert mode query editor. You only have to click the Filter button to perform a threat hunting using the selected query. Remember that original dates are not stored, and the default time range is the last day, so you may need to specify a different range to find the required results.

You can do the same in the Triage area. To do it, access the details of the required group of alerts in this area and then, select the icon indicated in the following capture.

Click Run query and you will be taken to the Hunting area. Same as explained above, apply the required time range and click Filter to perform a threat hunting with the selected query.

Alert wizard

The alert wizard in the Hunting area allows users to define new SecOps alerts easily. Follow these steps to define new alerts in your SecOps environment:

Click the Alert wizard button at the top right part of the Hunting area.

Fill in the general information of the new SecOps alert, at the left part of the window:

Field	Description
Name ^mandatory	Enter the name of the new SecOps alert.
Summary ^mandatory	A short message used to identify the alert condition. As in the standard Devo alerts, you can include field values associated with the alert using the case-sensitive variable $columnName. To learn more about this, check Creating new alerts.
Description ^mandatory	The full description of the alert condition. As in the standard Devo alerts, you can include field values associated with the alert using the case-sensitive variable $columnName. To learn more about this, check Creating new alerts.
Priority	Choose the required alert priority between Critical, High, Medium, Low, and Info.
Type	Choose the type of alert: Analytics, Detection, Observation, or Model. Learn more about SecOps alert types here.
MITRE Tactics	Select the required MITRE tactic.
MITRE Techniques	Select the required MITRE technique.

The next step is adding the required entities to the alert. Click the Add entities button at the right part of the window and select at least one entity type from the list. Then, enter up to 10 values of the selected type separated by a line break. In the capture below, we added the IP entity type and specified 2 different IP addresses.
Click Next to go to the next step.
In this step, you must select the tables and fields where you want to search the values specified before. Click Add table-field and choose the required table(s) and fields. You must select at least one table and field.
Click Next to go to the next step.
In this step, you can define filters to be applied in the selected table fields. To do it, click Add field, then select the required field in the Field to include dropdown and choose a Filter type.
SecOps Whitelisting

There's a special filter type called Apply SecOps Whitelisting. Apply this filter to check if the values in the specified field are included or not in the SecOps whitelisting lookup.
Click Next to go to the next step.
Finally, you'll see a summary including all the selected settings. You can edit each one by clicking the pencil icon next to it. Optionally, you can include geolocation data to your alert by switching on the Geolocation enrich toggle. Before creating the alert, you must click Test query. The system will verify that everything is correct and the query define to run the alert is correct. Once you're done, click Create.