Threat Hunting
Introduction
Threat Hunting is a security tool that detects and prevents data exfiltration (unauthorized removal of sensitive data from a computer or network) before damage occurs, helping security teams identify unusual user behavior that may indicate insider threats or ransomware attacks. Using artificial intelligence and machine learning algorithms, the system analyzes patterns to detect potential security issues, extending cyberstorage protection beyond infrastructure resiliency by adding behavioral analysis capabilities.
- Strategic Awareness - Detects anomalous behavior and suspicious access patterns, enabling earlier detection and faster response to potential threats
- Integration with Security Tools - Seamlessly interfaces with your current security infrastructure, streamlining investigations and facilitating faster incident response
- Confidence Scoring - Uses intelligent scoring to reduce false positives by providing context that helps security teams prioritize and address actual threats
- Detection of Data Exfiltration - Identifies behaviors that might indicate impending data theft, moving your posture "left of boom" (taking preventive action before an attack can cause damage) to prevent incidents
- Easy-to-Use Interface - Offers an intuitive dashboard where users can examine detected anomalies and take action without needing technical expertise
- Security Team Alignment - Designed for security professionals with workflows that address their specific requirements and operational needs
This guide will take you through the process of setting up and configuring the threat hunting module for your Eyeglass environment.
Before You Begin
An additional VM is required to install our new Threat Hunting feature.
Prerequisites
-
ECA and Eyeglass system
ECA SetupWorking ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.
-
ML Module server
ML Server SpecsServer with 4 CPU cores, 16GB RAM, 100GB storage. See ECA VM Guide for VM setup instructions.
If you are installing the Threat Hunting module for Eyeglass version 2.12, you must comment out the following block in the Eyeglass SCA config files conf/sync.xml and data/sync.xml, then restart the SCA:
<THEventRetriever IsEnabled="true" IsConfigurable="true" Label="Threat Hunting Task" combine.self="OVERRIDABLE">1 23 * */12 *</THEventRetriever>
To restart the SCA service after making these changes:
- SSH to the Eyeglass appliance as the
adminuser - Switch to root user:
sudo -s(enter admin password when prompted) - Restart the SCA service:
systemctl restart sca - Verify the service status:
systemctl status sca.service
Required Configuration Details
Before starting the installation, gather these essential connection and authentication parameters:
| Required Information | Description | How to Obtain |
|---|---|---|
| ML module IP address and port | Connection details for ML server | Run kubectl -n haproxy-controller get services |
| ECA node IP addresses | All ECA server IPs | See ECA management guide - run ecactl cluster exec hostname -I to list all node IPs |
| Eyeglass server IP | Eyeglass management server address | Check your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM |
| Eyeglass token | Authentication token for API access | Generate through Eyeglass Integrations section |
| Eyeglass public key | RSA public key for secure communication | Run cat /opt/superna/eca/data/common/.secure/rsa/isilon.pub on any ECA node |
| Kafka connection info | Streaming data service details | Run ecactl cluster exec hostname on ECA master to get Kafka node hostnames |
Installation and Configuration
Configure ML Module
Configure the machine learning environment and set up threat detection parameters to optimize for your security needs.
Connect ML Module Components to ECA
Install and configure ML Module components to connect with your ECA environment, enabling data flow for threat detection.