Various questions about Threat Hunting
79 views
Skip to first unread message
Soulyo
Jul 15, 2024, 5:35:01 AM7/15/24
to Wazuh | Mailing List
Hey
I'm writing this message to ask for clarification about the "Threat Hunting" feature in the "Threat Intelligence" category.
What is analysed?
- Which flux?
- Which logs?
What resource consumption? At what intervals?
Thanks in advance!
Nathan
I'm writing this message to ask for clarification about the "Threat Hunting" feature in the "Threat Intelligence" category.
What is analysed?
- Which flux?
- Which logs?
What resource consumption? At what intervals?
Thanks in advance!
Nathan
Stuti Gupta
Jul 15, 2024, 6:14:42 AM7/15/24
to Wazuh | Mailing List
Hi Soulyo
Thread hunting previously know as security events analyzing numerous data sources like logs, network traffic, and endpoint data to identify and eliminate cyber threats that have evaded traditional security measures. It aims to uncover potential threats that may have gone undetected in an IT environment.
Wazuh can analyze logs from various sources including system logs, network logs, application logs, etc., depending on what you've configured it to monitor.
Resource Consumption and Intervals
The resource consumption for threat hunting depends on the volume of data being analyzed and the complexity of the rules and queries used. It typically involves CPU and memory usage on the Wazuh manager and possibly the indexers.
Threat hunting can be configured to run continuously or periodically based on your requirements. The intervals can vary depending on how frequently you want to perform threat-hunting queries and analyses.
To know more you can refer to https://documentation.wazuh.com/current/getting-started/use-cases/threat-hunting.html
Thread hunting previously know as security events analyzing numerous data sources like logs, network traffic, and endpoint data to identify and eliminate cyber threats that have evaded traditional security measures. It aims to uncover potential threats that may have gone undetected in an IT environment.
Wazuh can analyze logs from various sources including system logs, network logs, application logs, etc., depending on what you've configured it to monitor.
Resource Consumption and Intervals
The resource consumption for threat hunting depends on the volume of data being analyzed and the complexity of the rules and queries used. It typically involves CPU and memory usage on the Wazuh manager and possibly the indexers.
Threat hunting can be configured to run continuously or periodically based on your requirements. The intervals can vary depending on how frequently you want to perform threat-hunting queries and analyses.
To know more you can refer to https://documentation.wazuh.com/current/getting-started/use-cases/threat-hunting.html
Soulyo
Jul 15, 2024, 9:00:34 AM7/15/24
to Wazuh | Mailing List
I couldn't find it, what is analysed (feeds, logs, etc.)?
Stuti Gupta
Jul 16, 2024, 1:27:08 AM7/16/24
to Wazuh | Mailing List
Wazuh analyzes log data to identify threats. This can include things like system anomalies, malware detection, authentication failures, and other potential threats. Wazuh collects, analyzes, and stores logs from endpoints, network devices, and applications. The Wazuh agent, running on a monitored endpoint, collects and forwards system and application logs to the Wazuh server for analysis. Additionally, you can send log messages to the Wazuh server via syslog, or third-party API integrations.
The "Threat Hunting" feature in Wazuh analyzes a variety of data sources to identify potential cyber threats. Specifically, it analyzes:
Logs likke:
System logs
Network logs
Application logs
Security logs
Any other logs configured within Wazuh to be monitored
Network Traffic:
Network flow data
Packet capture data
Endpoint Data:
File integrity monitoring data
Registry changes
Running processes
User activity
Resource Consumption:
Wazuh also uses decoders to normalize and parse diverse log formats and data sources. This ensures that collected information is presented in a standardized manner, facilitating effective analysis and correlation of data from various sources. And use rules to trigger the alerts so that will apper in wazuh-dasboard.
To know more you can refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
The "Threat Hunting" feature in Wazuh analyzes a variety of data sources to identify potential cyber threats. Specifically, it analyzes:
Logs likke:
System logs
Network logs
Application logs
Security logs
Any other logs configured within Wazuh to be monitored
Network Traffic:
Network flow data
Packet capture data
Endpoint Data:
File integrity monitoring data
Registry changes
Running processes
User activity
Resource Consumption:
Wazuh also uses decoders to normalize and parse diverse log formats and data sources. This ensures that collected information is presented in a standardized manner, facilitating effective analysis and correlation of data from various sources. And use rules to trigger the alerts so that will apper in wazuh-dasboard.
To know more you can refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Soulyo
Jul 16, 2024, 3:00:00 AM7/16/24
to Wazuh | Mailing List
Thank you very much!
What about the MITRE ATT&CK module? What data is collected?
scan interval? duration? resources?
What about the MITRE ATT&CK module? What data is collected?
scan interval? duration? resources?
Message has been deleted
Stuti Gupta
Jul 25, 2024, 12:26:33 AM7/25/24
to Wazuh | Mailing List
For the new issue, please open another thread so we can track it better, which will also help other team members.
Reply all
Reply to author
Forward
0 new messages