Threat Hunting for EDR, XDR, SIEM

Don’t waste valuable time. Kick-off threat hunting workflows as soon as suspicions arise.

TLDR: Threat Hunting for EDR, XDR, SIEM

  • Automate EDR, XDR, SIEM and other queries to kick-off
  • Share threat hunting templates with your team members to ensure the most efficient workflows
  • Trigger remediation flows upon discovery

What is Threat Hunting?

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in an organizational environment. A search for Indicators of Compromise (IOCs) or indicators possibly related to Tactics, Techniques, and Procedures (TTPs) can be performed either on historical data (Logs, Events, Audit Logs) or via live federated inquiries across Endpoints, Storage Services, Cloud Environments, etc.

Automated threat hunting is triggering the search across multiple information sources upon arrival of an event/signal containing a possible indicator, combining the results to understand the extent of the impact and, potentially, taking action for each identified compromised entity.

For example, imagine that an email security system has blocked a potential attack flagging a malicious attachment (file with a specific signature) — automatically searching all endpoints and storage drives for files with the same signature and quarantining it is a simple automated threat hunting process.

Benefits of Automating Threat Hunting

  • Reduce the “exposure window” for a potential threat by identifying and quarantining/remediating it immediately upon event/signal without involvement of analysts/operators
  • Handle multiple threat hunting sessions at the same time  — without requiring human effort
  • Create uniformly effective threat hunting procedures without dependency upon specific knowledgeable people being involved

How Torq Automates Threat Hunting

  • Torq flows can be triggered by events from existing security systems, such as:
    • SIEM Alert Rules
    • EDR/XDR Detection Alerts
    • Anomaly Detection Alerts
  • Alternatively, threat hunting flows can be triggered from Slack / Web /CLI by analysis
  • The flows can trigger search processes across a number of systems to find further events/evidence of an indicator:
    • EDR/MDM Search
    • SIEM/Logs Store Search
    • Email/Storage Search
  • For each finding, we can perform additional investigative steps, enrich “Case Management” systems and trigger remediation

Start Automating in Minutes

With Torq, any security professional of any skill level can easily connect multiple tools into an automated workflow that can be run as needed — triggered from an alert, or according to a schedule. Get started automating today! Build workflows with an easy drag and drop interface today. Zero coding or API knowledge required.