Skip to main content

Hunt

Setting up | Hunting

S
Written by Sergey Bayrachny

In this article:

With Quick Hunt, you can easily hunt for the latest threats in your SIEM and XDR with a single click. Aimed at both entry-level analysts and experienced security professionals, Quick Hunt is very powerful while extremely easy to use.

Important!

To hunt for the latest threats in your security solution, it is highly important to set up configurations:

Set up

Before hunting, select your platform and Data Plane. Also, set a Custom Field Mapping profile if you use a non-default data schema. In your Data Plane integration settings, you can define a default Custom Field Mapping and default Config (for some platforms) that will be applied to each query.

If you've completed the Integration step in the Onboarding Wizard, a web search integration with the selected platform was created for you automatically. It has the default name Onboarding Data Plane (or Onboarding Environment if it had been created before Environments were renamed to Data Planes). You can edit it to add Custom Field Mapping and default Config (for some platforms) or make other additional configurations that depend on your platform.

To set up a new Data Plane integration for Quick Hunt:

  1. Make sure the correct platform is selected. Then, click the Data Plane dropdown and select Create New Data Plane.

  2. Specify the Data Plane name and sharing settings. If you enable the Share to company switch, the newly added profile will be available across your entire organization.

  3. Make sure Quick Hunt, Uncoder CTI, and direct search from a Sigma rule page is selected as the place where to use the Data Plane.

  4. Provide the URL of your platform's web console (copy it from your browser) and configure additional settings that depend on the selected platform. Optionally, if you use a non-default data schema:

    • Set default Custom Field Mapping profiles that will be applied automatically to Sigma Rule translations with matching Log Sources

    • Select the right default Config (for some platforms)

  5. Click the Save Changes button.

Note:

  1. You can always find your integration on the Data Planes page. Here, you can edit or delete your Data Plane integration. To do it, click the Edit or delete icon on the right.

  2. To set up a new Data Plane integration, click the Add Data Plane button in the top right corner.

If your Data Plane uses a non-standard data schema, select a Custom Field Mapping profile.

Note

If you select the Default option in the dropdown, Custom Field Mapping profiles will be applied as follows:

  • If there are Custom Field Mapping profiles linked to the currently selected Data Plane

    • The profile that matches the log sources of the Sigma rule is applied

    • If there're several profiles that match the log sources of the Sigma rule, the most recently created/edited one is applied.

  • If there are no Custom Field Mapping profiles linked to the currently selected Data Plane, the profile that is made default but not linked is applied as long as it matches the log sources of the Sigma rule

  • If there are neither profiles linked to the currently selected Data Plane no profiles made default (or none of them matches the log sources of the Sigma rule), no mapping is applied

Hunt

By default, the content in Quick Hunt is sorted by Recommended. Ranking depends on the current relevance of the content to other security professionals, its quality, release/update date, and other factors.

Other sorting options are:

  • Microsoft: Microsoft Sentinel content ranked based on our recommendation algorithms that boost the most up-to-date and high-quality content relevant to other cybersecurity experts

  • Google SecOps: content for Google SecOps ranked based on our recommendation algorithms that boost the most up-to-date and high-quality content relevant to other cybersecurity experts

  • Smoking Guns: the most reliable behavior-based Alerts and Queries to detect the most severe malicious activity

  • Released: content sorted by its release date

  • Updated: content sorted by its update date

Additionally, you can switch between descending (most relevant first) and ascending (least relevant first) order by clicking the red arrow by the selected sorting option name. Your selection will be remembered even after you leave the page and return to it.

You can also search for content in the search bar.

To see more details about a content item, click on it to show the related intelligence. To find out more about the intelligence, go here.

You can also click the Content button to open the page of the selected content item.

To use a content item for threat hunting, just click the Hunt button. This sends the query into your platform.

You will be directed to your platform, where you can check the results of the query. When back in Quick Hunt, you'll see a prompt to leave feedback. Do it to help us further improve the module.

After leaving feedback, you will see the votes of other users.

Content items that you've used for threat hunting are marked with the Hunted label.

Hover over it to see a tooltip with the date and time of the last hunt.

Clicking the label shows a pop-up with the hunt history listing the date and result of each hunt with the selected detection run by your team.

Note:

Users with a Manager role can also see the names of their teammates who ran the hunts.

If you clicked the Hunt button without setting up a Data Plane for your platform, you will see a modal prompting you to set up one.

Did this answer your question?