User-initiated scan modes relevant to Threat Hunting
-
Threat Hunting: On-demand (user initiated) scans.
-
Hash Hunting (rapid IOC matching): Scans SHA256 hashes using user-provided hash lists, and searches the backup index without restoring data.
Hash hunting API (how it works)
-
Hashes (SHA256) are generated/collected from backup files as part of scanning.
-
File hashes are stored in the backup index.
-
User submits one or more hash strings (or a file containing hashes) via API; the system matches them against the index.
-
Matching hashes are flagged as a malware threat in the backup index.
IOC inputs used during hunting
- YARA rules and hashes can be imported via APIs; uploaded IOCs are assigned to a plan and used as additional threat intelligence inputs during scanning operations.
Outcomes
-
Threat findings are recorded as metadata and written back into the standard backup index, which then drives dashboard visibility.
-
Optional: Use GenAI assistance ("Arlie sense") on dashboard screens to get summaries and recommendations, including contextual threat insights.