In this article: |
Scan allows you to verify thousands of hypotheses automatically to understand what is really happening in your organization. This process involves querying your logs for the selected period with translations of all Sigma rules from the SOC Prime Platform that are relevant to your Data Planes.
There are two types of scans available, depending on your goals:
Rules for Alerting – find and deploy effective detection rules for your SIEM with low-noise, high-value alerts.
Threat Scan – allows you to search and identify threats by automating routine threat hunting tasks and correlating findings with the MITRE ATT&CK framework and CTI.
We recommend regularly running scans based on the configured schedules to check for new content items or updates to the existing detections. Running regular scans also helps you constantly keep up with the evolving cyber threat landscape and gets you covered against emerging threats.
Tips and Best Practices
To maximize the effectiveness of Attack Detective threat scans, it's crucial to fine-tune the settings to your specific environment and cybersecurity goals. We strongly recommend considering your SIEM, EDR or Data Lake resources to ensure that the scan doesn’t significantly impact your system performance. Take into consideration the recommended settings provided below.
Number of Queries
Users can estimate the number of queries that will match the selected log sources. For optimal performance, it is recommended to limit the number of queries to 5,000 per scan for each index. If the query count exceeds this limit, follow these recommendations:
Consider enabling sequential scanning (by default) by running multiple scans for your chosen log source / index list. Running scans on log sources individually helps reduce the load on your SIEM or EDR, allowing you to receive results for each log source / index faster. Once a scan for a specific log source is completed, you can launch subsequent scans for other log sources or indices.
Instead of running multiple scans at once, set up schedules for your subsequent scans for each log source or index over a certain time period. This sequential approach improves efficiency while minimizing system strain.
Please also make sure that you are all set up to run the scan. Refer to the setup requirements and recommendations.
To set up and run a scan, go to the Scans page, click Start Scan and select Rules for Alerting or Threat Scan based on the purpose of the scan.
Alternatively, you can start a scan immediately after completing a Data Audit. To do this, navigate to the Audits page, select the corresponding Data Audit, and on the Data Audit results page, select Setup Alerts.
Configuring a scan involves three steps: Scan Setup, Review Log Sources, and Choose Hunting Scenarios.
Scan Setup
Give the scan a name. You can keep the default name formed after the following pattern: Scan {date and time}.
Turn on the Share to Company toggle to make the scan available to the users in your company. You can also enable this later by going to the Scans page, selecting the three dots on the corresponding scan record, and choosing Share to Company.
Select the Scan Period. The default scan covers the last 7 days as it is considered to be the optimal timespan to choose the tailored detection rules used for alerting in your environment. However, you can change this period depending on your current preferences, the amount of data, and current security needs:
Last 24 hours
7 days
30 days
90 days
Custom
Select one or multiple Data Planes (up to 5 per scan). Note that you cannot combine cloud and on-prem Data Planes in one Scan. Also, make sure you have linked chosen Data Planes to Custom Field Mapping profiles to apply mappings to queries with matching log sources.
Ensure your Data Plane connection works:
Connected – the Data Plane connection is OK, you can continue.
Disconnected – the connection is not operational. Check the connection status and the error message in the Data Plane configurations to fix the issue and try again.
Select Next to proceed to the Review Log Sources step and wait until it is finished.
Note: After proceeding to the Review Log Sources step, the scan setup can no longer be edited.
Review Log Sources
The Review Log sources step is required to track changes in your environment by checking the list of log sources and corresponding security data gathered.
Check the result of the review:
The spider chart on the left shows the percentage of techniques in each tactic that can be detected with the existing log sources.
Review data tables and respective log sources defined during Data Audit as well as the number of queries available for each data table.
Use the Search bar above the data table to search for relevant entries.
You can sort the data in the table using the dropdown by selecting one of the following options:
Query Count – sorts the data by the number of queries identified in your Data Planes.
Index Name – sorts the data alphabetically by index name.
Additionally, you can switch between descending and ascending order by clicking the green arrow by the selected sorting option name.
You can fine-tune and customize the tables and log sources:
Clear the checkbox next to a data table to exclude it from scanning.
Remove an automatically identified log source by clicking the x icon next to it.
Add more log sources manually. To do this:
Hover over the relevant data table and click the Plus icon that appears.
Start entering your log source name and select it from suggestions.
After making customizations to the log sources, refresh the Data Audit results by clicking the Refresh Visibility button.
To proceed to the next step, select Choose Scenario at the bottom of the page.
Note: If you are looking for specific detection content addressing the exact log source, make sure you have chosen only the relevant log source in question and removed other log source names.
Choose Hunting Scenarios
Select a Hunting Scenario to form a pool of queries for the scan based on the threats you want to hunt for. You can select an existing hunting scenario or set up a custom hunting scenario to scan through the queries that meet specific requirements. To set up a custom scenario, go to this section.
The more specific content is involved in the scanning process based on the selected hunting scenario, the faster it will take to run a scan without overloading your SIEM or EDR. By default, you can choose the Full Scan that leverages the whole SOC Prime’s library of rules and queries to run against the applicable list of log sources.
Tip: It is recommended that the Full Scan schedule runs at least once per week to ensure maximum efficiency.
You can choose between the following available scenarios:
Full scan – all available queries relevant to the selected log sources and available data (analyzed based on discovered events during Data Audit).
Latest Exploits – queries recommended by SOC Prime to detect known Common Vulnerabilities and Exposures (CVEs). This scenario includes both the most recent and notorious CVEs.
CERT Alerts – queries recommended by SOC Prime and developed based on cyber incident reports by the government Computer Emergency Response Teams of the US, the EU, Ukraine, and other countries.
Top 10 Techniques 2024 – rules & queries addressing the TOP-10 most prevalent MITRE ATT&CK techniques listed in UNGATED 2024 Threat Detection Report by Red Canary.
Bear Fence for MDE – hand-picked queries for scanning your Microsoft Defender for Endpoint environment and hunt for Russian APTs, such as Fancy Bear.
Click the Calculate queries button on the scenario tile to expand the updated Data Audit details with the applied scenario.
Spider Chart shows Detection Coverage, the percentage of techniques within each tactic covered by queries that can be applied to your log sources in their current state.
The table shows data tables and respective log sources defined during Data Audit as well as the number of queries available for each data table and the number of tactics and techniques they cover.
Set Up Custom Hunting Scenario
You can set up a custom hunting scenario to run threat scans that meet your specific requirements and focus on queries matching specific criteria, including threat actors, ATT&CK techniques, CVEs, and more.
Select the Add Scenario button on the Choose Hunting Scenario page of the scan.
Name your scenario and provide an optional description.
Define the Content Source:
Repositories – select one Repository to define what queries will be used for scanning. You can choose one of the pre-defined Threat Detection Marketplace Repositories (SOC Prime, Threat Bounty, SigmaHQ, etc.) or one of your own repositories by switching to My Repositories.
Content Lists – select one or multiple Content Lists to define what queries will be used for scanning and click Add.
Use the list type dropdown to limit the lists available for selection to one type - All, Global, or Company. By default, the All option is selected.
In the Queries column, you can see the total number of queries in the List. Select the Pencil icon next to a Content List to navigate to the Lists page and make any necessary edits. To set up a new list, follow this guide.
In both Content Source options selected above, you can press the Show/Refresh Spider Chart button to see the resulting detection coverage based on the configured hunting scenario.
Spider Chart shows Detection Coverage, the percentage of techniques within each tactic covered by queries that can be applied to your log sources in their current state.
The table shows data tables and respective log sources defined during Data Audit as well as the number of queries available for each data table and the number of tactics and techniques they cover.
Select the Apply button at the bottom of the page to add your new hunting scenario to the list of scenarios for Scans.
You can edit an existing custom scenario you've created by clicking the pencil icon.
To delete a custom scenario, click Delete Scenario on the Edit Scenario screen.
Select Scan Settings
Click the Gear icon in the right-hand corner of the Hunting Scenarios page.
Select the Scan Type:
Sequential (default) – different tables/indices will be scanned in the sequential mode. Scanning will take longer but the load on your SIEM will be less than in the parallel scanning.
Parallel – different tables/indices will be scanned in the parallel mode, which will take faster but load your SIEM more than in the sequential scanning mode. This mode is suitable only for high-performance instances with a lot of free resources.
Select the Scan Intencity:
Low – longer scanning at a lower intensity with minimum load on your system. The average interval between queries is 5–8 seconds.
Medium (default) – moderate scanning intensity with normal load on your SIEM. The average interval between queries is 3–5 seconds.
High – faster scanning with a higher load on your system, which is recommended only for a high-performance SIEM. The average interval between queries is 1–3 seconds.
Tip: We recommend using the default scan settings of Sequential type and Medium intensity to avoid overloading your SIEM. However, you can customize the scans to align with the unique environment and security needs of your organization.
Choose High intensity only for a high-performance SIEM, and remember that while the Parallel type speeds up the scanning substantially it is suitable only for a high-performance cluster with a lot of free resources.
Note:
Scanning your Data Planes can take several hours, depending on the amount of your data.
Full scan only includes queries that are based on Sigma rules with the following parameters:
Sigma Status: Stable or ExperimentalSigma Type: IOC Sigma or Threat Hunting Sigma
Optionally, you can adjust the following settings before proceeding with the scan:
Select the Use updated queries checkbox and then select Repos from the dropdown. This ensures that only the updated queries, tailored to your SIEM, EDR, or Data Lake from the selected repositories, will be used in the scan instead of the SOC Prime default ones.
Config settings – for configuring alternative content translations matching your SIEM, EDR, or Data Lake needs. See an example of configs usage below:
If you are gathering the CEF logging format into Elasticsearch, you need to choose the CEF config on the Choose Hunting Scenarios page to run only applicable queries in CEF format.
If you are forwarding Microsoft Defender for Endpoint logs to Microsoft Sentinel, you need to create a separate scan to query Microsoft Defender tables in Microsoft Sentinel. During Data Audit, choose only tables with the Microsoft Defender logs and then choose the mdatp config on the Choose Hunting Scenarios page.
Start or Schedule Scan
Once you've configured the scan settings to meet your needs, you can proceed to start or schedule the scan. Click Start Scan to run it immediately or click an arrow next to the Start Scan button and select Schedule Scan to run it at specified date and time or set up a recurring scan schedule to continuously check for emerging threats and update corresponding detection content.
Note: If your previous scan is still in progress, and a new scan should start running according to a pre-set schedule, it won’t be able to launch. If a single Full Scan scan takes several days, we strongly recommend splitting all your log sources / indices into parts to enable sequential scanning or choosing a more specific hunting scenario. Please check this section for more details on the scanning best practices and tips.
To schedule a scan:
Name the schedule. You can keep the default name formed after the following pattern:
Scan {date and time}.Repeat the scan:
Choose Never if you want this scan to run only once.
Select Set Schedule to run the scan on a recurring basis.
If you selected Set Schedule, in the Repeat till field, specify the end date for the recurring scan.
In the Run scan every section, configure the frequency of the recurring scan:
Enter a number in the first field.
Select the unit of time from the dropdown.
If running on a monthly or weekly schedule, choose the day of the month or week when the scan should run.
Set the exact time the scan should start and select the appropriate time zone from the dropdown.
Select Now to run the scan immediately. Select On Schedule if you want the first scan to start based on your schedule settings.
Select Schedule Scan.
After starting the scan, you will be redirected to the Scans page, where you can view scan details, track scan status, and review scheduled scans. Go to this guide to learn more.
After the scan is completed, go to the scan results to see your attack surface and check/validate query hits. Follow this guide to learn more.