Threat Hunting

Modified on Wed, 3 Jan at 8:09 PM

1 - Definition of Threat Hunting


    Threat Hunting is a proactive security search across networks, endpoints and datasets for malicious, suspicious or risky activity that has escaped detection by existing tools.

    The idea is to assume that adversaries are already in the system and therefore start investigating for unusual behaviour that may indicate the presence of malicious activity.


In proactive threat hunting, launching investigations generally falls into three main categories:

  • Hypothesis-based investigation,
  • Investigation based on known indicators of compromise (IOCs) or indicators of attack (IOAs),
  • Advanced analysis and machine learning investigations.


2 - Threat Hunting with Nucleon


   

  In the Hunt section, you will find a graph of the most active processes, enabling you to identify peaks in activity that could be the source of slowdowns or high disk usage. Rules with the bypass or log deactivation option can be used to avoid too much noise:



 

Search filters : 

 

  •    The date filter is mandatory for events 
  •    Text filters are in regex format, 
  •    Many other filters can be applied: Process, PID, Hash, Path, ...

 

When the mouse hovers over a column title, it is possible to add a filter directly on this column, or sort on this column:


Each event can be clicked on to display its details in the same way as a threat:


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article