Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.
Perform a threat hunting
Follow these step to perform a threat hunting:
First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range.
You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.
After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.
- Then, enter the tables you want to search on in the Target tables field. It is possible to search in more than one table, which may be very useful to contrast different information in the same timeline, but also to see the behavior of the same entities in two different sources.
Add the required filter criteria. Open the Filter key dropdown list and select the column where you want to search for data. Open the Filter type dropdown list and select equals, contains or lookup. If you choose equals or contains, simply enter the required value in the Filter value box that appears. If you select lookup, you will be prompted to select the Lookup table you want to search on and the required fields. This can be done across multiple tables and using multiple filters to see results from more than one table. This can be done across multiple tables and using multiple filters to see results from more than one table.
While you are defining your filters, you can switch on the Expert mode toggle to see the LINQ query that represents the filters you've defined in the selected tables. You can keep editing the query here, or go back to the normal view switching off the toggle.
- Once your filter is defined, select the Add button. You can keep on adding as many filters as required before performing the threat hunting.
- Select Filter to get the results with the filters you applied. Click the entities that appear in the results if you want to keep on filtering the data. Using the clock icon next to the Filter button, you can also see the last queries run, and re-select the filter you need.
After performing the threat hunting, the results matching your filters will appear at the bottom of the area. The results are divided into two different areas: Results statistics and Hunting results.
The results of the selected period will be represented in a timeline at the top of the results area, where you can compare graphically the results from the different tables added to the hunting.
Click the table names under the timeline to hide/show the corresponding lines. This will also affect the results shown in the Hunting results area below. You can also zoom in to a specific time range in the graph by dragging your mouse over the timeline. This action will also show the corresponding results below. Click Restore zoom to go back to the default zoom.
Events obtained when performing a search are ordered by time. It does not matter if there are two or more results statistics (two or more filters); you will only see the events resulted from the last search. In the case of the following example, we first searched in the table siem.logtrust.web.activity and then added the filter for firewall.all.traffic, so these are the events shown in the hunting results:
If you want to see the results from the other search, you only have to click the table firewall.all.traffic under the graph to deselect the firewall results. If you want to add more filters from the hunting results, simply click the required fields in the results to keep on adding new filters.
Add the results of a hunting to an investigation
Expert analysts may want to add the results obtained after a threat hunting to an investigation so that other users of the application could check them. To do it, simply click the Add to investigation button at the top right of the window after performing the required threat hunting.
Executing query hunting from the Investigation and Triage areas
It is possible to execute queries automatically when performing a threat hunting.
We already know how to generate queries in the Hunting area after applying some filters and then add them to an investigation. However, it is also possible to execute these queries from an investigation. Going back to the Investigation area, open the details of the required investigation, and access the Queries area in the Evidence tab. Then, click the Run query button next to the required query.
You will be taken to the Hunting area. The selected query will be added to the Expert mode query editor. You only have to click the Filter button to perform a threat hunting using the selected query. Remember that original dates are not stored, and the default time range is the last day, so you may need to specify a different range to find the required results.
You can do the same in the Triage area. To do it, access the details of the required group of alerts in this area and then, select the icon indicated in the following capture.
Click Run query and you will be taken to the Hunting area. Same as explained above, apply the required time range and click Filter to perform a threat hunting with the selected query.