Threat Hunting
Overview
Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.
Click the Hunting button in the top navigation bar to access this area.
Perform a threat hunting
Follow these steps to perform threat hunting:
Threat hunting results
After performing the threat hunting, the results matching your filters will appear at the bottom of the area. The results are divided into two different areas: Results statistics and Hunting results.
Results statistics
The results of the selected period will be represented in a timeline at the top of the results area, where you can compare graphically the results from the different tables added to the hunting.
Click the table names under the timeline to hide/show the corresponding lines. This will also affect the results shown in the Hunting results area below. You can also zoom in to a specific time range in the graph by dragging your mouse over the timeline. This action will also show the corresponding results below. Click Restore zoom to go back to the default zoom.
You can also define an alert based on the results of a hunting by clicking Actions → Create alert.
Enter the required data and click Create alert in the window that appears to define it.
Hunting results
Events obtained when performing a search are ordered by time. It does not matter if there are two or more results statistics (two or more filters); you will only see the events that resulted from the last search.
If you want to see results from a specific table only, you only have to click the required table under the Results statistics. If you want to add more filters from the hunting results, simply click the required fields in the results to keep on adding new filters.
Add the results of a hunt to an investigation
Expert analysts may want to add the threat hunting queries to an investigation so that other users of the application could run them. To do it, simply click the Add to investigation button that appears in the Results statistics area after performing the required threat hunting.
Executing query hunting from the Investigation and Triage areas
It is possible to execute queries automatically when performing threat hunting.
We already know how to generate queries in the Hunting area after applying some filters and then add them to an investigation. However, it is also possible to execute these queries from an investigation. Going back to the Investigation area, open the details of the required investigation, and access the Queries area in the Evidence tab. Then, click the Run query button next to the required query.
You will be taken to the Hunting area. The selected query will be added to the Expert mode query editor. You only have to click the Filter button to perform a threat hunting using the selected query. Remember that original dates are not stored, and the default time range is the last day, so you may need to specify a different range to find the required results.
You can do the same in the Triage area. To do it, access the details of the required group of alerts in this area and then, select the icon indicated in the following capture.
Click Run query and you will be taken to the Hunting area. Same as explained above, apply the required time range and click Filter to perform a threat hunting with the selected query.
Alert wizard
The alert wizard in the Hunting area allows users to define new SecOps alerts easily. Follow these steps to define new alerts in your SecOps environment: