Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.
Perform a threat hunting
Follow these step to perform a threat hunting:
- Enter the tables you want to search on in the Target tables field.
- Choose the desired time range in the Date range area.
Add the required Filter criteria. Open the Filter key dropdown list and select the column where you want to search for data. Finally, open the Type dropdown list and select equals, contains or lookup. If you choose equals or contains, simply enter the required value in the Filter value box that appears. If you select lookup, you will be prompted to select the Lookup table you want to search on and the required fields. This can be done across multiple tables and using multiple filters to see results from more than one table. This can be done across multiple tables and using multiple filters to see results from more than one table.
While you are defining your filters, you can switch on the Expert mode toggle to see the LINQ query that represents the filters you've defined in the selected tables. You can keep editing the query here, or go back to the normal view switching off the toggle.
- Once your filter is defined, select Add. You can keep on adding as many filters as required before performing the threat hunting.
- Select Filter to get the results. Click the entities that appear in the results if you want to keep on filtering the data. Using the Filter button, you can also see the last queries run, and re-select the filter you need. Up to the last 5 filters are shown.
You can access previously applied filters clicking the clock icon next to the Filter button. Click the bin icon if you want to delete the filter history.
Add the results of a hunting to an investigation
Expert analysts may want to add the results obtained after a threat hunting to an investigation so that other users of the application could check them. To do it, simply click the Add to investigation button at the top right of the window after performing the required threat hunting.