Query Using Hunt Feature
LogRhythm NDR collects metadata about network flow, users, hosts, and other data. Analysts can use the Hunt feature to query this metadata for incident response research, threat hunting, and other purposes. The following Explore dashboards are available under the Hunt menu:
Hunt Menu Explore Dashboards
Dashboard | Displays |
---|---|
Activity | All items combined on the same screen |
Geo Activity | A map view and filtering based on location |
Mitre (ATT&CK Navigator) | Any matching attacks as counts, next to the techniques |
Packet Captures | pcaps taken |
To select the date range, click the range icon in the top right corner of the screen. In the drop-down menu, select a date range.
Activity
The Activity page displays recent activity on the network, which can be filtered by using the discovery filters.
To access the Activity dashboard:
- Click the Hunt tab. In the drop-down menu, click Activity.
The Activity page appears, displaying various logs and events in the table. By default, the legends and events for the last one (1) hour are shown. - To filter by events, click on the event categories under the graph.
To display more information on the activities, click on the entries in the timeline at the bottom of the page.
Geo Activity
The Geo Activity page displays a global map that shows the countries where activity has occurred.
To access the Geo Activity dashboard:
- Click the Hunt tab. In the drop-down menu, click Geo Activity.
The Geo Activity page appears, displaying various logs and events in the table. By default, the legends and events for the last one (1) hour are shown. - To view the timeline for the pinpoints on the map, go to the bottom of the page.
MITRE ATT&CK Navigator
MITRE ATT&CK Navigator displays any matching attacks as counts, next to the techniques. Associated threat groups and malicious software associated with each technique can also be displayed.
To use the MITRE ATT&CK Navigator function:
- Click the Hunt tab. In the drop-down menu, click Mitre.
The Mitre page appears, displaying all the events. By default, all the IOA (Incidents of Attack) for the last one (1) hour are listed. - Select a custom time range for the last 15 minutes, 24 hours, 7 days, etc.
The graph related to all the events for the selected time period appears. - To scroll the legend event list, click the up or down arrow icon.
- To look further into a particular IOA, select the + icon linked to that IOA.
In the drop-down menu, all the fields related to that particular IOA appear. - To filter the IOAs based on different techniques in the Mitre matrix:
- Remove the earlier filter in the search bar.
- Click the ATTC&K Hunting icon.
- Click Brute Force.
Brute Force is OR'ed in the search bar. - To view the IOAs related to Brute Force, close the ATT&CK Hunting matrix window.
Only the IOAs related to Brute Force appear.
Packet Captures
This function is currently under development.
Other Hunt Query Methods
The Hunt feature can also perform queries using other methods.
Discover
Discover can be used to populate the necessary fields from the data model. You may also do a partial search to locate fields:
To use the Discover Data function:
- Click the histogram button.
The timeline histogram displays the various values of that field. - Click the + icon for a value.
A popup appears with all the different values for that particular field, allowing you to change the values for the filter.
View Modes
To display a table view of a record:
- To display the host/user details, click the Host/User icon.
A dialog box appears that displays the host/user details. - To close the host/user detail dialog box, click the X icon at the top-right corner.
- To display incident events, scroll down to Activity.
Events are displayed in the graph and a table.
By default, the table displays ten (10) events. If the incident contains more than ten (10) events, pagination is available. - To display more detailed information of the related event, click the + next to the event.
The following three (3) tabs are displayed: Details, JSON, and Related logs.
The Details tab appears by default. The diagram shown in the Details tab has a horizontal scroll. You can use the horizontal scroll to view the full diagram. - To display all record properties, expand each value.
The value is added to the search.
To display a JSON view of a record:
- To display the information of the event in JSON format, click the JSON tab in the event.
By default, all the information is collapsed under the source field. - To expand or collapse the section, click the expand/collapse arrow icon next to the source field.
Information is similarly collapsed under other fields. - To display the related logs for the event with the date included, click the Related Logs tab.
- To display the logs in JSON format, click the JSON tab in the Related Logs.