Threat Hunting for EDR, XDR, SIEM

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in an organizational environment. A search for Indicators of Compromise (IOCs) or indicators possibly related to Tactics, Techniques, and Procedures (TTPs) can be performed either on historical data (Logs, Events, Audit Logs) or via live federated inquiries across Endpoints, Storage Services, Cloud Environments, etc.

Automated threat hunting is triggering the search across multiple information sources upon arrival of an event/signal containing a possible indicator, combining the results to understand the extent of the impact and, potentially, taking action for each identified compromised entity.

For example, imagine that an email security system has blocked a potential attack flagging a malicious attachment (file with a specific signature) — automatically searching all endpoints and storage drives for files with the same signature and quarantining it is a simple automated threat hunting process.

• Reduce the “exposure window” for a potential threat by identifying and quarantining/remediating it immediately upon event/signal without involvement of analysts/operators
• Handle multiple threat hunting sessions at the same time  — without requiring human effort
• Create uniformly effective threat hunting procedures without dependency upon specific knowledgeable people being involved

• Torq flows can be triggered by events from existing security systems, such as:
  • SIEM Alert Rules
  • EDR/XDR Detection Alerts
  • Anomaly Detection Alerts
• Alternatively, threat hunting flows can be triggered from Slack / Web /CLI by analysis
• The flows can trigger search processes across a number of systems to find further events/evidence of an indicator:
  • EDR/MDM Search
  • SIEM/Logs Store Search
  • Email/Storage Search
• For each finding, we can perform additional investigative steps, enrich “Case Management” systems and trigger remediation