Performing Threat Hunting on Resources

You can perform Threat Hunting on resources.

What it does: Runs an on-demand Threat Scan on a resource using the latest signatures and threat intelligence. The on-demand scan leverages malware and encryption detection techniques, including hash-based checks and YARA rules imported by the user.

When to use: After an incident is suspected/confirmed and you want to do the following:

• Reassess a resource with updated detection intelligence (signatures/models/IOCs).

• Validate whether a resource is trending clean or showing signs of infection before selecting an appropriate restore strategy.

• Rescan backups using latest signatures and threat intelligence.

Upload IOC Hash File

1. From the Command Center navigation pane, go to Security center > Threat scan.

   The Threat Scan page appears.

2. On the Plans tab, click a the Threat Scan plan you want to edit.

   The plan page appears.

3. On the IOC Details tab, click the edit button next to "Indicators of Compromise (Optional)".

   The Indicators of Compromise table for that plan will appear.

4. In the Upload your own files section, click Select File.

   A file dialog box appears.

5. Browse and select the IOC file. Note the following:

   • Supported file types: Text and JSON

   • IOC hash file format:

     {
          "iOCFileHashDetails":
          [
               {
                  "malwareName": "<malware_name_1>",
                  "fileHash": "<hash_1>",
                  "hashType": SHA256,
                  "enabled": true
               },
               {
                  "malwareName": "<malware_name_2>",
                  "fileHash": "<hash_2>",
                  "hashType": SHA256,
                  "enabled": true
               }
          ]
     }

{ "iOCFileHashDetails": [ { "malwareName": "", "fileHash": "", "hashType": SHA256, "enabled": true }, { "malwareName": "", "fileHash": "", "hashType": SHA256, "enabled": true } ] }

1. Click Create.

   The new file (with a type of IOC Hash) will appear in the Indicators of Compromise table.

2. Select the checkbox for the new file, and then click Save.

   If one or more IOC hashes are enabled in the plan, the system triggers a Threat Hunting job along with Threat Analysis.

Upload YARA Rule

1. From the Command Center navigation pane, go to Security center > Threat scan.

   The Threat Scan page appears.

2. On the Plans tab, click a the Threat Scan plan you want to edit.

   The plan page appears.

3. On the IOC Details tab, click the edit button next to "Indicators of Compromise (Optional)".

   The Indicators of Compromise table for that plan will appear.

4. In the Upload your own files section, click Select File.

   A file dialog box appears.

5. Browse and select the IOC file. Note the following:

   • Supported file types: YAR and YARA

   • YARA rule format:

     rule RuleName
     {
           meta:
                key1 = "value"
                key2 = "value"
     
           strings:
                $a = "text string"
                $b = "hex pattern"
                $c = /regex_pattern/
     
           condition:
                <logical expression>
     }
     

6. Click Create.

   The new file (with a type of YARA Rule Match) will appear in the Indicators of Compromise table.

7. Select the checkbox for the new file, and then click Save.

   If one or more YARA rules are enabled in the plan, they are processed as part of the Threat Analysis job.

Related Topics

• Threat Hunting Details