Skip to content

Guided Threat Hunts Cheatsheet

Guided Threat Hunts Cheatsheet

Overview

Guided Threat Hunts from Intel 471 is a new capability that allows you to hunt for threats in your environment using intelligent queries. It combines Intel 471’s deep and adversary intelligence with your own internal data to help you uncover hidden threats.

Key Features

  • Intelligent Queries: Uses pre-built and customizable queries to help you hunt for threats in your environment.
  • Adversary Intelligence: Leverages Intel 471’s deep and adversary intelligence to provide context and insights into the threats you are hunting for.
  • Internal Data Integration: Integrates with your existing security tools and log sources to allow you to hunt for threats in your own data.
  • Actionable Insights: Provides actionable insights and recommendations to help you respond to the threats you uncover.

Getting Started

  1. Deploy the Intel 471 platform: Install and configure the Intel 471 platform in your environment.
  2. Enable Guided Threat Hunts: Enable the Guided Threat Hunts capability in the Intel 471 platform.
  3. Connect your data sources: Connect your security tools and log sources to the Intel 471 platform.
  4. Run a threat hunt: Use the pre-built queries or create your own to hunt for threats in your environment.
  5. Analyze the results: Analyze the results of your threat hunt to identify any hidden threats.
  6. Respond to threats: Use the actionable insights and recommendations to respond to the threats you uncover.

Common Commands

While Guided Threat Hunts is primarily UI-driven, here are some conceptual commands that represent the actions you would take within the platform:

  • intel471 hunt run --query "c2-communications": Run a threat hunt to look for command and control communications in your environment.
  • intel471 hunt results list --hunt-id <hunt_id>: View the results of a specific threat hunt.
  • intel471 hunt report generate --hunt-id <hunt_id>: Generate a report of the findings from a specific threat hunt.
  • intel471 hunt schedule --query "malware-delivery" --frequency daily: Schedule a daily threat hunt to look for malware delivery in your environment.

Example Use Case

Scenario: A security analyst wants to hunt for signs of a specific threat actor in their environment.

  1. Select a Threat Actor: The analyst selects a threat actor from Intel 471’s adversary intelligence database.
  2. Run a Threat Hunt: They run a threat hunt using a pre-built query that is designed to look for the tactics, techniques, and procedures (TTPs) used by that threat actor.
  3. Analyze the Results: The threat hunt returns a list of potential indicators of compromise (IOCs) that are associated with the threat actor.
  4. Investigate and Respond: The analyst investigates the IOCs to determine if they are legitimate threats, and then takes action to respond to any confirmed threats.

Additional Resources