User-initiated scan modes relevant to Threat Hunting
-
Threat Hunting: Scans can be run on demand using Run Threat Scan or executed as part of the configured schedule, both available at the Threat Scan Plan level.
-
Hash Hunting (rapid IOC matching): Scans SHA256 hashes using user-provided hash lists, and searches the backup index without restoring data.
Hash hunting (how it works)
-
SHA256 hashes are generated or collected from backup files as part of scanning.
-
File hashes are stored in the backup index.
-
Users can submit one or more hash values (or upload a file containing hashes) through the Threat Scan Plan under IOC Details.
-
The system matches the submitted hashes against the backup index.
-
Matching hashes are flagged as malware threats in the backup index.
IOC inputs used during hunting
YARA rules and IOC hashes can be added through the Threat Scan Plan (IOC Details section). These IOCs are assigned to the plan and used as additional threat intelligence inputs during scanning operations.
Outcomes
-
Threat findings are recorded as metadata and written back into the standard backup index, which then drives dashboard visibility.
-
Optional: Use GenAI assistance (Arlie Sense) on dashboard screens to get summaries, recommendations, and contextual threat insights.