1 - Definition of Threat Hunting

    Threat Hunting is a proactive security search across networks, endpoints and datasets for malicious, suspicious or risky activity that has escaped detection by existing tools.

    The idea is to assume that adversaries are already in the system and therefore start investigating for unusual behaviour that may indicate the presence of malicious activity.

In proactive threat hunting, launching investigations generally falls into three main categories:

• Hypothesis-based investigation,
• Investigation based on known indicators of compromise (IOCs) or indicators of attack (IOAs),
• Advanced analysis and machine learning investigations.

2 - Threat Hunting with Nucleon

  In the Hunt section, you will find a graph of the most active processes, enabling you to identify peaks in activity that could be the source of slowdowns or high disk usage. Rules with the bypass or log deactivation option can be used to avoid too much noise:

Search filters : 

•    The date filter is mandatory for events 
•    Text filters are in regex format, 
•    Many other filters can be applied: Process, PID, Hash, Path, ...

When the mouse hovers over a column title, it is possible to add a filter directly on this column, or sort on this column:

Each event can be clicked on to display its details in the same way as a threat: