Threat Hunting

Threat Hunting enables security teams to proactively investigate endpoint event logs by querying collected data for suspicious or unusual behavior. Administrators can search endpoint event logs using query syntax, identify threats, and create alerts to receive notifications when the same activity recurs in the environment.

Threat Hunting supports two query-building modes: Syntax mode for writing queries directly and Classic mode for building queries through a guided filter interface. Once suspicious activity is identified, administrators can respond in two ways:

• Raise Alert — Immediately raise an alert for a specific suspicious event identified in the hunting results.
• Schedule Alert — Create a recurring query that runs automatically at a set frequency and raises an alert whenever the specified conditions are met.

When an alert is raised, a corresponding incident is automatically created under the Incidents menu for further investigation.

• Steps to use Threat Hunting
• Using Syntax mode
• Using Classic mode
• Raising an alert
• Scheduling an alert
• Incidents

Steps to use Threat Hunting

1. Navigate to Endpoint Protection → Threat Hunting.
2. Choose how you want to build the query:
   • Syntax — Write queries directly using the supported query language.
   • Classic — Build queries visually using the filter builder, without writing syntax manually.
3. Select the time period by specifying the date and time range for the search.
4. Click Run to execute the query and view matching results.
5. Review the results in the Hunting Result table. Click on a result row to open the Hunting Details panel, which displays the Timestamp, Event Meta, Device details, and Event details for the selected event.
6. If you identify a specific suspicious event, click Raise Alert in the Hunting Details panel to immediately raise an alert for that event.
7. If you want to continuously monitor for a pattern of activity, click Schedule Alert to create a recurring alert based on the query.
8. Monitor alerts and investigate related incidents from the Incidents menu.

Using Syntax mode

Syntax mode lets you write query statements directly to search endpoint event logs. Use this mode when you need precise control over search conditions using supported operators and field names.

For complete syntax reference and all supported operators, see Query Syntax Documentation.

Building a query

1. Select Syntax as the query mode.
2. Enter the query in the search field using the supported query language.
3. Append additional conditions to narrow down results as needed.
4. Select the time period and click Run.

Example:

logtype="edrevents"

You can chain multiple conditions to refine results further:

logtype="edrevents" AND action="FileCreate" AND filepath CONTAINS "temp"

Using Classic mode

Classic mode provides a guided filter interface for building queries without writing syntax manually. This mode is ideal for administrators who prefer a visual, point-and-click approach.

Building a filter

1. Select Classic as the query mode.
2. Choose a field to filter on from the drop-down list.
3. Select the operator (for example, equals, contains, greater than).
4. Enter the value to match.
5. To add more conditions:
   • Click AND or OR to add individual conditions.
   • Click Add Group Filter to create nested condition groups for complex logic.
6. Review the criteria pattern displayed below the filter builder to verify how conditions are combined.
7. Select the time period and click Run.

Raising an alert

When you identify a specific suspicious event in the hunting results, you can immediately raise an alert for it directly from the Hunting Details panel.

Steps to raise an alert

1. Run a query in Syntax or Classic mode and review the Hunting Result table.
2. Click on a result row to open the Hunting Details panel on the right. The panel displays detailed information about the selected event, including:
   • Timestamp — The date and time of the event.
   • Event Meta — Metadata associated with the event.
   • Device details — Information about the endpoint where the event occurred.
   • Event details — Specific event attributes such as source endpoint IP, destination endpoint IP, port numbers, protocol information, and more.
3. Review the event details. If the activity is suspicious, click Raise Alert at the top of the Hunting Details panel.

An alert is immediately raised for the selected event and a corresponding incident is created under the Incidents menu.

Scheduling an alert

In addition to raising alerts for individual events, you can schedule a recurring alert that automatically runs a query at a set frequency. This is useful for continuously monitoring for specific patterns of activity across all managed endpoints — for example, detecting when a process renames an unusually high number of files within a short time window.

Steps to schedule an alert

1. Create and validate the query in Syntax or Classic mode.
2. Click Schedule Alert in the top-right corner of the Threat Hunting page.
3. Configure the alert with the following details:

4. Click Add Alert to save and activate the alert.

Incidents

Whenever an alert is raised — either directly from the Hunting Details panel or through a scheduled alert — a corresponding incident is automatically created under the Incidents menu. This provides a centralized view for tracking and investigating all suspicious activities detected through threat hunting.

Incident details

From the Incidents page, each incident displays the following information: