Threat Hunting

Threat Hunting is an investigative tool which allows for advanced querying on all malicious and benign forensics events collected from the organization's endpoints with Harmony Endpoint installed.

00:03: In this tutorial, we’ll explore Threat Hunting in Harmony Endpoint, what

00:07: it is, how to enable and use it, and why it’s essential for your organization.

00:11: You’ll see how easy it is to investigate suspicious activity,

00:14: take quick action, and proactively strengthen your endpoint security.

00:19: Threat Hunting in Harmony Endpoint is a powerful investigative tool that enables admins

00:24: to examine forensic data across endpoints.

00:26: It lets you query malicious and benign events collected from endpoints

00:30: safeguarded by Harmony Endpoint. You can investigate the full scope of an attack,

00:34: uncover stealthy threats by spotting suspicious activities, and remediate

00:39: threats swiftly, preventing further damage.

00:42: To get started, log in to the Infinity Portal and select Endpoint.

00:47: From the left navigation panel, click "Policy".

00:50: Navigate to Policy Capabilities, click Analysis and Remediation

00:54: to enable Threat Hunting. Then click Save and Install.

00:58: From the left navigation panel, click "Threat Hunting" to begin proactive threat

01:02: detection. The Threat Hunting dashboard will appear, and you can see a

01:07: range of filters designed to help you refine your search.

01:10: The Threat Hunting dashboard shows the last day of detections by default. If you

01:14: want to change the time range, click the down arrow

01:16: next to the Last Day and select the required time range.

01:20: Select the product you want to hunt threat. Depending on your environment, you

01:24: can select Harmony Endpoint or other integrated products.

01:29: Select advanced filters to refine your threat detection criteria.

01:33: You can add a custom filter. Provide an indicator, like a file hash

01:37: or IP address, select an operator, and enter the value.

01:41: This helps you pinpoint specific threats quickly and accurately.

01:45: To create a new bookmark, click the star icon for easy access.

01:48: You can choose between shared bookmarks available to all users in your account

01:53: and private bookmarks visible only to you. Based on threat risk,

01:57: you can set a priority level like Low, Medium, High, or Critical.

02:01: You can also enable email notifications for these saved queries, with

02:05: up to 10 alerts allowed.

02:07: If you are dealing with a major breach or a malware outbreak, Checkpoint provides

02:11: predefined queries, which are ready-made sets of filters tailored to common

02:15: threat scenarios. They help you jumpstart your investigation without needing to build

02:20: filters from scratch.

02:22: Click "Predefined" to view predefined queries. The dashboard applies filters and

02:26: shows details of relevant activity for the selected product and time range.

02:30: Click miter add and CK framework to view attack as tactics and techniques.

02:34: Each technique comes with one or more predefined queries, curated by

02:38: checkpoint research, making it easier to investigate specific threat behaviors

02:43: Click "bookmarks" to view your custom queries as bookmarks.

02:47: Click "Notifications" to view and configure alerts related to threats.

02:51: You can customize the users who need to receive notifications.

02:54: It helps security teams stay informed and respond quickly to potential

02:58: threats.

03:00: Click "History" to revisit a previous investigation. The History

03:04: tab shows all the queries you have performed, helping you track your analysis

03:08: over time.

03:09: Click "Settings" to customize your experience. You can adjust the UI's

03:14: look and feel to match your preferences, making threat hunting more intuitive

03:18: and efficient.

03:19: Thank you for watching the video.

The information collected lets you to:

  • Investigate the full scope of an attack.

  • Discover stealth attack by observation of a suspicious activity.

  • Remediate the attack before it causes further damage.

  • Proactively hunt for advanced attacks by searching for anomalies, and using hunting leads and enrichment.

Threat Hunting supports:

  • Data collection and enrichment - All events are collected through multiple sensors and sent to a unified repository and enhanced by ThreatCloud, MITRE mapping and alerts from all the prevention engines.

  • Rich toolset for custom queries, drill down and pivoting to suspicious activity.

  • Predefined queries and a MITRE dashboard which map all activity and allow a quick start to proactive hunting.

  • Remediation actions per result or a bulk operation integrated in the Threat Hunting flow (such as file quarantine and kill process).

Supported Regions

Threat Hunting is supported only for the Infinity Portal tenants (accounts) residing in these regions:

  • Australia

  • EU

  • India

  • United Kingdom

  • United Arab Emirates

  • US

Supported Versions

  • Endpoint Security Client version E84.10 and higher.

  • Management version:

    • Cloud-only, web management.

Enabling Threat Hunting

By default, Threat Hunting is disabled in Harmony Endpoint.

To enable Threat Hunting:

  1. Go to Policy > Policy Capabilities.

  2. Click the Analysis & Remediation tab.

  3. From the Enable Threat Hunting list, select On.

  4. Click Save & Install.

  5. After the policy is pushed to the agents, wait a few minutes until data is sent by the agents.

    Then you can go to the Threat Hunting view to start searching through events.

Using Threat Hunting

Item

Description

1

Last Day - Time filter for the query. Users can choose between Last Day, Last 2 Days, Last Week and a Custom time period.

2

Process - Refine your query results according to the activity type.

3

Let the hunt begin - Click + and define the values to search in the logs. You can add multiple values and fields at a time.

4

Menu for predefined queries.

5

Predefined - Check Point's predefined queries, divided by category.

Note - Leads in Detections, Leads and Alerts are lead detections or signatures. If an incident is raised under this category, the term Lead. is prefixed to its protection name. For example, Lead.Win.BrwsrPassThft.B. It does NOT indicate an attack and we recommend that you ignore these incidents.

This is used by Check Point to analyze if a protection has to be developed. For example, create a new signature.

6

MITRE ATT&CK - Shows the MITRE ATT&CK framework of tactics and techniques. Each technique includes one or more queries, pre-defined by Check Point Research.

7

Bookmarks - Shows the custom queries saved as bookmarks, either as global (available for all users in the account) or private (available only for the user).

Users can also define email notifications for these saved queries, currently limited to 10. For more information, see Saving a Query as a Bookmark.

8

History - See all the queries that you used.

9

Settings - Change the UI look and feel.

To hunt for threats, you can use predefined queries or by proactively creating your own queries.

  • To use predefined queries:

    1. Go to Predefined Hunting Queries or

      Click the icon next to the search box and select Predefined.

      You can quickly find all active attacks and browse through different malicious events detected by Endpoint clients.

    2. Click the icon next to the search box and select MITRE ATT&CK.

      The MITRE ATT&CK dashboard provides real-time visibility on all the techniques observed by Harmony Endpoint across your endpoints. It maps all raw events to MITRE Tactics, Techniques, and Procedures (TTPs) regardless of status.

      The MITRE ATT&CK dashboard is divided into 12 categories and each category is a stage in an attack. Each category includes multiple attack techniques.

      When you click a technique, a window opens with an explanation about the technique and a list of predefined queries. Run a query to get a list of the events in which the specific technique implementation was used.

  • To search for specific events by proactively creating your own queries:

    1. Go to Threat Hunting.

    2. Click the + sign next to Let the hunt begin.

    3. From the Indicator list, select the filter.

    4. From the Operator list, select the condition.

    5. In the Add a single value field, enter a value for the indicator.

    6. Click Add.

      It shows the search results in a timeline. The timeline provides behavioral insights that indicate anomalies or attacks.

    7. To add another filter to the same query, repeat steps 2 to 6.

      Note - If you have multiple filters, the system applies the logical AND operator between the filters.

    8. To filter events based on the timeline, click the required hexagon.

      It shows detailed information about the event, together with intelligent enrichment, such as attack classification, malware family and MITRE technique details.

    9. To create a bookmark for a query, see Saving a Query as a Bookmark.

    10. You can also filter the results by date and process.

    11. To take remediation action for the filtered results, click Actions and choose any of these:

      • Terminate Process

      • Quarantine File

      • Trigger Forensic Analysis

      • Isolate Machine

    12. To export the results to a CSV file, click Actions > Export to CSV.

Saving a Query as a Bookmark

You can add filters to a query and save it as a bookmark. You can also send email notifications to users if Threat Hunting activity matches the query.

To save a query as a bookmark:

  1. Create a query.

  2. Click from the top right corner of the page.

    The Create Shared/Private Bookmark pop-up appears.

  3. To make the bookmark public, select Shared - available to all system users.

  4. To make the bookmark private, select Private - available only to you.

  5. In the Name field, enter a query name.

  6. From the Importance list, select an importance level for the query detection.

  7. In the Select or create tag name field, enter the tag name or select the tag name if available.

    Tags create folders to store bookmarked queries.

  8. In the Description field, enter a description for the bookmark.

  9. To send email notifications if new activity matches the bookmarked query, select Send E-mail notifications to mailing list for any new hits checkbox.

    Harmony Endpoint sends email notifications to the recipients added to the Threat Hunting Notifications page.

  10. Click Save.

To add recipients to Threat Hunting email notifications:

  1. Go to Threat Hunting.

  2. Click the icon next to the search box and select Notifications.

  3. From the Recipients list, select the users or enter the email address.

Use Case - Maze Ransomware Threat Hunting

You want to investigate the maze ransomware attack. You read about it in the internet and you are afraid it may already have infiltrated your organization.

  1. In the MITRE ATT&CK website: Search for Maze ransomware.

  2. From the list of techniques that Maze ransomware uses, select the applicable technique. For example: Windows Management Instrumentation
  3. From the Infinity Portal > Threat Hunting, click the icon on the right side of the search box, and go to MITRE ATT&CK.

  4. In the MITRE ATT&CK dashboard, search for the technique you copied from the Maze website.

  5. Click the technique to see all the events in your organization in which this technique was used.