# Threat Hunting Threat Hunting enables security teams to proactively investigate endpoint event logs by querying collected data for suspicious or unusual behavior. Administrators can search endpoint event logs using query syntax, identify threats, and create alerts to receive notifications when the same activity recurs in the environment. Threat Hunting supports two query-building modes: **Syntax** mode for writing queries directly and **Classic** mode for building queries through a guided filter interface. Once suspicious activity is identified, administrators can respond in two ways: - **Raise Alert** — Immediately raise an alert for a specific suspicious event identified in the hunting results. - **Schedule Alert** — Create a recurring query that runs automatically at a set frequency and raises an alert whenever the specified conditions are met. When an alert is raised, a corresponding incident is automatically created under the **Incidents** menu for further investigation. - [Steps to use Threat Hunting](#steps-to-use-threat-hunting) - [Using Syntax mode](#using-syntax-mode) - [Using Classic mode](#using-classic-mode) - [Raising an alert](#raising-an-alert) - [Scheduling an alert](#scheduling-an-alert) - [Incidents](#incidents) ## Steps to use Threat Hunting 1. Navigate to **Endpoint Protection** → **Threat Hunting**. 2. Choose how you want to build the query: - **Syntax** — Write queries directly using the supported query language. - **Classic** — Build queries visually using the filter builder, without writing syntax manually. 3. Select the time period by specifying the date and time range for the search. 4. Click **Run** to execute the query and view matching results. 5. Review the results in the **Hunting Result** table. Click on a result row to open the **Hunting Details** panel, which displays the Timestamp, Event Meta, Device details, and Event details for the selected event. 6. If you identify a specific suspicious event, click **Raise Alert** in the Hunting Details panel to immediately raise an alert for that event. 7. If you want to continuously monitor for a pattern of activity, click **Schedule Alert** to create a recurring alert based on the query. 8. Monitor alerts and investigate related incidents from the **Incidents** menu. ## Using Syntax mode **Syntax** mode lets you write query statements directly to search endpoint event logs. Use this mode when you need precise control over search conditions using supported operators and field names. For complete syntax reference and all supported operators, see [Query Syntax Documentation](https://www.manageengine.com/products/desktop-central/help/edr/query-logs.html). ### Building a query 1. Select **Syntax** as the query mode. 2. Enter the query in the search field using the supported query language. 3. Append additional conditions to narrow down results as needed. 4. Select the time period and click **Run**. **Example:** ```plaintext logtype="edrevents" ``` You can chain multiple conditions to refine results further: ```plaintext logtype="edrevents" AND action="FileCreate" AND filepath CONTAINS "temp" ``` ## Using Classic mode **Classic** mode provides a guided filter interface for building queries without writing syntax manually. This mode is ideal for administrators who prefer a visual, point-and-click approach. ### Building a filter 1. Select **Classic** as the query mode. 2. Choose a **field** to filter on from the drop-down list. 3. Select the **operator** (for example, equals, contains, greater than). 4. Enter the **value** to match. 5. To add more conditions: - Click **AND** or **OR** to add individual conditions. - Click **Add Group Filter** to create nested condition groups for complex logic. 6. Review the **criteria pattern** displayed below the filter builder to verify how conditions are combined. 7. Select the time period and click **Run**. ## Raising an alert When you identify a specific suspicious event in the hunting results, you can immediately raise an alert for it directly from the Hunting Details panel. ### Steps to raise an alert 1. Run a query in **Syntax** or **Classic** mode and review the **Hunting Result** table. 2. Click on a result row to open the **Hunting Details** panel on the right. The panel displays detailed information about the selected event, including: - **Timestamp** — The date and time of the event. - **Event Meta** — Metadata associated with the event. - **Device details** — Information about the endpoint where the event occurred. - **Event details** — Specific event attributes such as source endpoint IP, destination endpoint IP, port numbers, protocol information, and more. 3. Review the event details. If the activity is suspicious, click **Raise Alert** at the top of the Hunting Details panel. An alert is immediately raised for the selected event and a corresponding incident is created under the **Incidents** menu. ![threat-hunting-raise-alert](https://cdn.manageengine.com/products/desktop-central/help/images/threat-hunting-raise-alert.png) ## Scheduling an alert In addition to raising alerts for individual events, you can schedule a recurring alert that automatically runs a query at a set frequency. This is useful for continuously monitoring for specific patterns of activity across all managed endpoints — for example, detecting when a process renames an unusually high number of files within a short time window. ### Steps to schedule an alert 1. Create and validate the query in **Syntax** or **Classic** mode. 2. Click **Schedule Alert** in the top-right corner of the Threat Hunting page. 3. Configure the alert with the following details: | Field | Description | |---|---| | **Alert Name** | A descriptive name for the alert. Use a name that clearly identifies the threat or activity being monitored. | | **Run Frequency** | How often the query runs automatically (for example, every 15 minutes, hourly, or daily). | | **Severity** | The severity level assigned to the alert (for example, Low, Medium, High, or Critical). | | **Query** | The validated threat hunting query. This field is auto-populated from your current query. | | **Alert When Results** | The condition that triggers the alert based on the result count (for example, “greater than 0”). | 4. Click **Add Alert** to save and activate the alert. ![threat hunting schedule alerts](https://cdn.manageengine.com/products/desktop-central/help/images/threat-hunting-schedule-alerts.png) ## Incidents Whenever an alert is raised — either directly from the Hunting Details panel or through a scheduled alert — a corresponding incident is automatically created under the **Incidents** menu. This provides a centralized view for tracking and investigating all suspicious activities detected through threat hunting. ### Incident details From the **Incidents** page, each incident displays the following information: | Column | Description | |---|---| | **Detection Source** | The origin of the detection (for example, Threat Hunting alert). | | **Detected Time** | The date and time when the activity was detected. | | **Severity** | The severity level inherited from the alert configuration. | | **Alerts** | The number of alerts associated with the incident. | | **Infected Devices** | The endpoints where the suspicious activity was detected. | | **Incident Status** | The current status of the incident (for example, New, In Progress, Resolved). | | **Detection Status** | Whether the detection is confirmed, under review, or dismissed. |