Skip to main content

Overview

The Threat Hunting module provides comprehensive capabilities for browsing through security alerts and identifying issues and threats in your environment. It serves as the central hub for investigating security events and conducting proactive threat hunting operations.

Key Features

Security Alert Analysis

The Threat Hunting module offers powerful tools to analyze security alerts across your infrastructure:
  • Real-time Alert Monitoring: View and analyze security alerts as they occur
  • MITRE ATT&CK Integration: Alerts are automatically mapped to MITRE ATT&CK tactics and techniques for better threat understanding
  • Multi-source Correlation: Correlate events from multiple security categories including:
    • Security events
    • Auditing and policy monitoring
    • Threat detection

Interactive Dashboards

The module provides interactive dashboards for threat visualization and analysis:
  • Overview Dashboard: High-level view of security posture and threat landscape (Dashboard ID: threat-hunting-overview-dashboard)
  • Agent Dashboard: Detailed threat analysis for individual agents (Dashboard ID: threat-hunting-pinned-agent-dashboard)
  • Customizable Visualizations: Create and customize visualizations to suit your threat hunting workflow

Advanced Event Tables

Threat hunting events are displayed in customizable data grids with the following columns:
  • Icon: Visual indicators for event severity and type
  • Timestamp: When the event occurred
  • Agent ID: Identifier of the agent that generated the event
  • MITRE ID: Associated MITRE ATT&CK technique identifier
  • MITRE Tactic: The adversary tactic from MITRE ATT&CK framework
  • Rule Description: Detailed description of the triggered security rule
  • Rule Level: Severity level of the security rule
  • Rule ID: Unique identifier of the security rule

Data Sources

The Threat Hunting module utilizes the following data sources:
  • Events Repository: wazuh-events* index pattern
  • Sample Data Categories:
    • Security events
    • Auditing and policy monitoring
    • Threat detection

Component Architecture

The Threat Hunting module is implemented using the following components: 
// Main dashboard component
DashboardThreatHunting
  DataSource: ThreatHuntingDataSource
  Repository: EventsDataSourceRepository
Location in codebase: /plugins/main/public/components/overview/threat-hunting/

Use Cases

Proactive Threat Hunting

Use the module to proactively search for indicators of compromise and suspicious behavior:
  1. Navigate to the Threat Hunting dashboard
  2. Filter events by MITRE tactics or techniques
  3. Investigate high-severity alerts
  4. Correlate events across multiple agents

Incident Investigation

Conduct thorough investigations of security incidents:
  1. Identify the initial alert or indicator
  2. Use the timeline view to understand the sequence of events
  3. Examine related alerts from the same agent or timeframe
  4. Document findings for incident response

Compliance Monitoring

Monitor security events for compliance purposes:
  • Track security policy violations
  • Monitor access to critical systems
  • Generate compliance reports from filtered event data

Search and Filtering

The module supports advanced search and filtering capabilities:
  • Time Range Selection: Filter events by custom time ranges
  • Agent-based Filtering: Focus on specific agents or agent groups
  • Rule-based Filtering: Filter by rule severity, ID, or description
  • MITRE Framework Filtering: Filter by specific tactics or techniques
  • Full-text Search: Search across all event fields

Integration with Other Modules

Threat Hunting integrates seamlessly with:
  • MITRE ATT&CK Module: Provides tactical context for security alerts
  • File Integrity Monitoring: Investigate file-based threats
  • Malware Detection: Correlate malware indicators
  • Vulnerability Detection: Link exploits to known vulnerabilities

Best Practices

  1. Regular Review: Schedule regular threat hunting sessions to identify emerging threats
  2. Use MITRE Mapping: Leverage MITRE ATT&CK mappings to understand attacker tactics
  3. Create Saved Searches: Save common search queries for quick access
  4. Set Up Alerts: Configure custom alerts for high-priority events
  5. Document Findings: Maintain documentation of threat hunting findings and remediation actions
  • [MITRE ATT&CK Module(/guides/mitre-attack-mapping)
  • [Security Events Dashboard(/modules/threat-hunting)
  • [Agent Management(/agents/overview)