Warning: You are viewing an older version of this documentation. Most recent is here: 40.0.1

Hunting

Introduction

Enriched Hunting is an interface dedicated to Threat Hunters and Cybersecurity Analysts for signatures, alerts and events visualization and tuning.

Enriched Hunting uses a drill down approach to select events. Filters on metadata contained in the alerts events can be simply added by clicking on the magnifier icons next to the field value.

Once a composite filter is defined, the user can take an action based upon it. The action will be applied to all future events matching the composite filter.

In Enterprise Edition, Stamus probes can have actions/classifications applied for custom defined filters that are based on metadata.

It is easy to create a detailed filter that actually encompasses a lot of verbose/informational events that do not need further investigation. You can then choose to create an action that will classify any such events automatically in the future. To do so, click on Actions button in the right upper corner of the Hunt page. Select Tag, select the desired ruleset(s) for inclusion, click on Submit, click on the Update threat detection button icon on the top bar, right hand-side of the page, right next to the History button. By repeating that process for other relevant events, the system would eventually heal itself by classifying all the required data.

This comes with a great benefit of being able to filter out all informational classified events just by enabling/disabling the Informational switch (upper bar of the Hunt screen). Now you can concentrate on threat hunting the rest of the events - those that have not been classified Untagged and/or those that have already been classified as Relevant.

Hunting Overview

Top Menu Bar Options

  • Update Threat Detection icon - updates/pushes ruleset and updates post-processing

  • History link - by clicking on this link, you go on History page, where you can easily track user actions and also filter on Action Type (i.e. Login, Logout, Create Source, etc.), Comment on an action or User who has done the relevant action. You can also choose sorting by Date or User in asc or desc order.

  • Filter sets - allows you to store interesting search. Search storage can be by user or global. Stamus Networks also provide a set of predefined filter sets that can be used for hunting.

  • Refresh Interval drop down - you can choose between different time intervals to automatically refresh upon. You can also switch off this option.

  • Refresh icon - in case Refresh Interval is switched off, you can manually refresh the page you are on

  • Timespan drop down - here you can set a timespan to filter on and also choose between hourly timespans - 1h, 6h, 24h and daily timespans - 2d, 7d, 30d

  • Help drop down - to access the embedded documentation

  • Account drop down - allows you to go to Account settings or Logout

  • Applauncher drop down icon - allows you to navigate between Hunt, Administration, Dashboards and Events viewer

In the far left hand-side of the top menu bar, next to Stamus Networks logo, you can see an icon which allows you to switch between full/compact view of the Hunt pages menu.

Pages

Pages can be accessed via a click in the left menu. Jumping from one page to another will keep the filters untouched, allowing the analyst to alternate between the different views available.

Dashboard

This page displays a dashboard with statistics about the most interesting data and metadata that can be seen in alerts. Here, any and all fields displayed can be selected or negated in order to make complex multiple filters combinations. These on demand filters allow to easily zero in on a research target or point of interest.

The page functionality allows you to easily customize information panels ordering, by clicking on edit link or return to their default order, by clicking on reset link.

Note

The value of fields in this page can be copied to clipboard with a Ctrl + click shortcut.

Signatures

This page displays a list of signatures or a signature details page, in case a filter on a signature ID has been created. On the page you can also create signature specific filters - for example, based on content of the signature title or number of hits a particular signature(s) have/has for a period of time.

You can choose between List view and Card view.

Alerts

This page displays the individual alert events as a list. It is possible to expand an event to see all details about it, including metadata. Any metadata displayed can be further added or negated to the current display filter by simply clicking on the + or - magnifiers next to it.

Hosts

This page displays IP/host based threat detection profiling. In general, if other searches are done on different pages, those search filters will display alert based results for a set of hosts. In other words - this means that the page will display all hosts that have been involved in the set alerts, defined by the filters and the specified time range. For any profiled host, the following info is displayed, where available:

  • Services - seen running

  • Useragents - seen from that IP

  • JA3 - unique JA3s seen from that IP

  • Usernames - seen to log in from that IP

  • Hostnames - discovered from application layer events

  • Top signatures - for that specific IP, available on individual host_id page only

  • Latest signatures - latest alerts for that specific IP, available on individual host_id page only

  • Signature severity pie - for that specific IP, available on individual host_id page only

The threat detection profiling of host in terms of Services, Useragents, JA3, Usernames, Hostnames is done entirely, based on Network Traffic Analyses and not on Alerts/Signatures.

Policy

This page displays the list of Actions constituting the policy applied to the alert events. The list is ordered and the filters are applied from top to bottom (in descending order). First filter is applied first, followed by the second and so forth.

The actions can be reordered to adjust respective precedence of the filters. To do so, simply click on the three dots on the right side of the action and fill in the form

To apply actions on probes

Note

To make sure an Action (example: Suppress, Threshold, Tag, Tag and Keep) is applied in production for all or a specific probe - update and push the respective ruleset(s).

Suppress

A Suppress action will delete matching events before they reach the storage. Any fields including metadata can be used to create a Suppress action.

Threshold

A Threshold action will only keep the alert when the defined threshold is reached. Any fields - including metadata, can be used to create a Threshold action.

Tag

A Tag action can be set based on a filter. It will be set on all matching events and will permit an easy categorization.

Currently 2 values are available:

  • Informational: information is just good enough to not be suppressed and is kept just in case

  • Relevant: event is relevant and an investigation is needed

All events that are not tagged can be found under the Untagged label, since there is no classification/Tag action that matches those events. So investigation and classification should be done.

Note

The Tag action is only available in Stamus Central Server

Tag and Keep

A Tag and keep action is similar to the Tag action but a matching event will not be suppressed or thresholded by any of the actions found later in the processing of actions.

Note

The Tag & Keep action is only available in Stamus Central Server

Keyboard shortcuts

Tag filtering

Here is the complete list:

  • A: display all events

  • R: display only Relevant events

  • I: display only Informational events

  • U: display only Untagged events

Hunting Examples

Search by name

It is quite easy, regardless of the number of events, to search, whether a specific threat is present. Go to the Dashboard page, choose Message from the drop down menu at the top left corner of the page, type in Emotet, hit Enter on your keyboard. This will display any alert events and their related metadata, for any Signature that has alerted and contains the word Emotet in its message.

Hunt by IP

To simply filter on all events from or to a specific IP, you can go to Dashboard, Signatures or Hosts page, choose IP from the drop down menu at the top left corner of the page, and enter/paste the IP of interest, hit Enter on your keyboard.

Host intel triaging

If you have an IP search filter set in the Dashboard or Signatures pages, you can switch (by simply clicking on it) to the Hosts page. The result will display all hosts that have alerting events from or to that specific IP. You can further choose a host and expand in details its threat intel data gathered to further improve the investigation.

Unusual useragents

In the Dashboard page - scroll down to the HTTP Information panel, go to Useragent , click on the right upper corner of the box, click Load more results. Investigate the useragent names present. Look for suspicions/nontraditional names. To create a filter for a specific useragent - simply click on the magnifier icon, next to the field value. This will result in events and their metadata specific to that useragent. You can then go to Alerts page by simply clicking on it (left hand-side part of the current view). This will render all alert events relevant to that useragent.

Unusual domains

In the Dashboard page - scroll down to the DNS information panel, go to Name , click on the right upper corner of the box, click on Load more results. Investigate the domain names present. Look for suspicions/nontraditional/random names. To create a filter for a specific domain - simply click on the magnifier icons next to the field value. This will result in events and their metadata specific to that domain. You can then go to Alerts page by simply clicking on it (left hand-side part of the current view). This will render all alert events, relevant to that domain name.

Find Alert events by Policy Actions

If you have multiple Policy Actions and want to find out which one has triggered an Alert Event, you need to do the following:

  • go to Alerts tab in Hunt -> click on the Alert of interest to unfold it

  • click on Json View tab and look for the rule_filter_<number>:

"tag":"rule_filter_9"

  • use the following REST API endpoint to retrieve information on the rule filter

https://10.136.0.27/rest/rules/processing-filter/9/

Note

The above is an example link. 10.136.0.27 is the IP of SCS and 9 is the number of your rule filter.

  • scroll down to Filter defs form. There you will find information on:

    • Policy Action type (Tag, Tag and Keep, Suppress, etc.)

    • Options (Relevant, Informational)

    • Ruleset

    • Index - this is the index of the Policy Action

  • go back to Hunt -> Policy Actions tab

  • at the far right of the table, you will find the relevant indexes of your Policy Actions

Host ID basic search techniques

On Hosts page, you are able to use different search techniques to narrow down the results. It is possible among other things to search for hosts with a minimum or maximum count of services, as well as selecting hosts that run a specific version of an HTTP server. You can also simply look for hosts where a user (identified by its username) did connect.