Skip to content

Threat Hunting

Threat hunting is the process of proactively trying to discover threats that may be buried under a lot of data. Threat hunting is typically done by developing a threat hypothesis and then exploring that hypothesis. LogSentinel SIEM has several ways of supporting threat hunting, including ones that help generate a hypothesis:

  • General search, reporting and autocomplete
  • Historical correlations
  • Faceted search
  • Risk scoring

General search, reporting and autocomplete

The main dashboard's search bar is useful for threat hunting. The following activities can be combined to look for unknown threats:

  • reports to find the top actors (group by actorId) or the most rare processes (use ASC order for params.processName)
  • inspect the activities of those users by searching for them (e.g. by clicking the search icon on the reports tab)
  • using autocomplete functionality in the search bar - both parameter names and parameter values are autocompleted. All possible values for a given param at a given selected data source are suggested after the colon symbol
  • slicing through the time histogram ontop can be useful to zoom into visible spikes in the ingested data. The associated range and data are then displayed below

Historical correlations

Historical correlations give you the ability to run correlation rules over a past period. This is useful when a correlation rule has been recently created and an analyst wants to apply it to historical data.

Historical correlations can take a long time, as they are applied many times on historical data. Their current progress can be reviewed on the "Recent hunts" page.

If violations are detected, they are shown both on the hunt details page as well as on the general alerts page.

This is useful for complex rules. Simple ones, where the number of occurrences and timeframes don't matter, can be run as simple queries without the overhead of a historical correlation.

The faceted search functionality is a more structured form of the query bar, which happens on three steps:

  1. Select the data sources you want to run the search on as well as the parameters you want to use for the search
  2. Select the values of the selected parameters (values are shown in a dropdown with the number of occurrences next to each). For numeric parameters ranges can be selected instead of discrete values (terms)
  3. Search and review the results for any threats. You can also open the generated search query in the main dashboard

Risk scoring

Threats usually start with actors (users or entities). Therefore, LogSentinel SIEM collects the behavior of all actors and assigns a risk score to each. You can then open the timeline of each actors to further look for potential issues.

More details about risk scoring can be seen here.