Threat Hunting

Description

Hunt for internal sightings of malicious files or connections to malicious domains or IP addresses.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Insider Threat, Advanced Threat Detection, SOC Automation

Category

Command and Control, Malware

Security Impact

Threat hunting can be a repetitive process to either enrich threat data or leverage curated data relavent to the network. By automating this process deeper investigations can be performed by easily automating the threat hunting process.

Alert Volume

Very Low

Journey

Stage 5

Data Sources

DLP
Anti-Virus or Anti-Malware
IDS or IPS
Host-based IDS

   How to Implement

The threat hunting playbook uses Splunk as well as EDR tools to hunt for indicators in the environment. Additional actions in the playbook can be used to get additional information about the indicators and further investigate any malicious files discovered.

   How To Respond

This playbook can be used to further investigate any discovered malicious connections or files in the environment. The playbook can also be re-arranged to perform investigative actions first to enrich threat intel data before hunting for it, as well as being used in conjunction with other playbooks.

   Help

Threat Hunting Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data