Threat Hunting
이 콘텐츠는 아직 해당 언어로 제공되지 않습니다.
Threat Hunting
The Threat Hunting AI assists security analysts in conducting proactive threat hunting activities. It generates hunting hypotheses, creates search queries, analyzes patterns, and guides analysts through structured hunting workflows.
Key Features
- Hypothesis Generation: MITRE ATT&CK-based hunting hypotheses tailored to your environment
- Automated Search: Generated search queries for your data sources and timeframes
- Anomaly Detection: Statistical and behavioral analysis to identify outliers
- Guided Workflows: Step-by-step hunting procedures with contextual guidance
- Knowledge Base: Continuously updated TTPs (Tactics, Techniques, Procedures) library
Hunting Workflow
1. Hypothesis Formation
The AI generates hunting hypotheses based on:
- Current threat landscape and trending TTPs
- Your organization’s industry and threat profile
- Historical incidents and near-misses
- Threat intelligence alerts and advisories
- MITRE ATT&CK technique coverage gaps
2. Data Collection
For each hypothesis:
- Identifies relevant data sources (logs, NDR, EDR, cloud sensors)
- Generates optimized search queries
- Defines time windows and scope
3. Analysis
During the hunt:
- Highlights statistical anomalies and behavioral outliers
- Correlates findings across multiple data sources
- Provides contextual enrichment from threat intelligence
- Identifies potential attack chains and lateral movement
4. Findings & Response
When threats are discovered:
- Creates detailed findings documentation
- Generates IOCs for detection rule creation
- Recommends immediate response actions
- Feeds findings into the collective intelligence base
Hunting Library
Pre-built hunting packages organized by MITRE ATT&CK:
| Tactic | Example Hunts |
|---|---|
| Initial Access | Unusual authentication patterns, phishing campaign indicators |
| Execution | Suspicious process chains, script execution anomalies |
| Persistence | Registry modifications, scheduled task changes, service installations |
| Privilege Escalation | Unusual privilege grants, token manipulation indicators |
| Defense Evasion | Log gaps, tool disabling, masquerading indicators |
| Lateral Movement | Unusual RDP/SMB/SSH patterns, pass-the-hash indicators |
| Collection | Unusual file access patterns, data staging indicators |
| Exfiltration | Unusual outbound data volumes, DNS tunneling indicators |
| Command & Control | Beaconing patterns, unusual encrypted channels |
Availability
Proactive threat hunting is available exclusively in the Hunt tier. Detect and Respond tier customers receive automated detection but not proactive hunting capabilities.