Threat hunting is a popular buzzword in cybersecurity, but how does it actually work? LogPoint’s Threat Hunting capabilities, including advanced analytics, enrichment, correlations, UEBA, and reporting, will empower you to strengthen your overall security posture with the use of a single interface.
LogPoint also uses threat intelligence feeds to automate some aspects of threat hunting. Threat intelligence feeds are used at the time of ingest, so that when data comes to us, it’s evaluated against all known configured threat intelligence feeds.
Threat intelligence is also used at the time of analysis, allowing analysts to submit any amount of historical data to be evaluated against most recent threat intelligence feeds, to see if they match any new knowledge about attacks. These correlated and evaluated alerts can then be pushed to a third party incident response tool for orchestration and remediation.
LogPoint‘s incident response integrations provide automated workflows for business context enrichment, threat intelligence, and correlation of log data with network data. Based on your organization’s workflow, your security team will be empowered to efficiently gather evidence, build the case and remediate.
To demonstrate how Threat Hunting actually works, we’ve put together a scenario beginning with file infections dectected using LogPoint. In this example we use our labels to quickly identify infected files.
Step 1: Setting the scene
File infections detected
Query: label=Detect label=File label=Infection | chart count() by sender,sender_domain,hash, receiver
Drill down on the first row and identify the checksum.
Use to the checksum to drill back to Virus Total
Conclusion: Raise the flag and further investigation required to investigate the impacts of the infection.
Step 2: Raise flag
Create an incident for follow up.
Step 3: Investigation
Apply the identified hash as the filter.
Pick each user associated with the recipient emails.
User Rita shows failed login attempts to various servers.
Go to the search page to see the details.
Failed login attempt for specific user
Query: label=Login label=Fail user="rita.mm" | chart count() by source_address,workstation,user,host order by count() desc
Pick one the source IPs used by user Rita to check if there are other failed attempts or not.
Failed login attempt for specific source
Query: label=Login label=Fail source_address=192.168.2.101 | chart count() by source_address,workstation,user,host
We observe that with source 192.168.2.101 there are 4 failed attempts from the same source.
Drill down on this event.
Failed login attempt on multiple filters by failure sub status