Threat Hunting Methodologies with Cortex XDR
This session introduces Threat Hunting, its benefits, and how to put it to use. We cover the different Threat Hunting methodologies and available add-ons for XDR as Host Insights.
You may review the queries we use in the video below.
Sample queries:
Process Execution Hunting
dataset = xdr_data
| filter action_process_image_name = "powershell.exe" OR action_process_image_name = "pwsh.exe"
| comp count() as hits by actor_process_image_name
| sort asc hits
Persistence Hunting
preset = xdr_event_log
| filter action_evtlog_event_id = 7045
| alter service_name = trim(arrayindex(regextract(action_evtlog_message, "Service Name: (.*)"),0))
| alter service_file_name = trim(arrayindex(regextract(action_evtlog_message, "Service File Name: (.*)"),0))
| alter service_type = trim(arrayindex(regextract(action_evtlog_message, "Service Type: (.*)"), 0))
| alter service_start_type = trim(arrayindex(regextract(action_evtlog_message, "Service Start Type: (.*)"),0))
| alter service_account = trim(arrayindex(regextract(action_evtlog_message, "Service Account: (.*)"),0))
| fields service_*
| filter service_start_type = "auto start"
| comp count() as hits by service_name, service_file_name, service_type, service_account
Activity Alerts
dataset = alerts
| filter alert_source = ENUM.XDR_ANALYTICS_BIOC
| filter severity = ENUM.LOW
| comp count() as alerts by host_name
| sort desc alerts
Anomalous Connections
dataset = alerts
| filter alert_source = ENUM.XDR_ANALYTICS_BIOC
| filter severity = ENUM.LOW
| arrayexpand user_name
| comp count() as alerts by user_name
| sort desc alerts
Forensics* Artifacts Summary
As presented in this webinar. Please note that Forensics is an add-on license to XDR Pro.
High-level of Forensics Artifacts available
Have a question? Post it on our Discussions forum
Cortex XDR