Threat Hunting
Introduction
Threat Hunting is a security tool that detects and prevents data exfiltration (unauthorized removal of sensitive data from a computer or network) before damage occurs, helping security teams identify unusual user behavior that may indicate insider threats or ransomware attacks. Using artificial intelligence and machine learning algorithms, the system analyzes patterns to detect potential security issues, extending cyberstorage protection beyond infrastructure resiliency by adding behavioral analysis capabilities.
- Strategic Awareness - Detects anomalous behavior and suspicious access patterns, enabling earlier detection and faster response to potential threats
- Integration with Security Tools - Seamlessly interfaces with your current security infrastructure, streamlining investigations and facilitating faster incident response
- Confidence Scoring - Uses intelligent scoring to reduce false positives by providing context that helps security teams prioritize and address actual threats
- Detection of Data Exfiltration - Identifies behaviors that might indicate impending data theft, moving your posture "left of boom" (taking preventive action before an attack can cause damage) to prevent incidents
- Easy-to-Use Interface - Offers an intuitive dashboard where users can examine detected anomalies and take action without needing technical expertise
- Security Team Alignment - Designed for security professionals with workflows that address their specific requirements and operational needs
This guide will take you through the process of setting up and configuring the threat hunting module for your Eyeglass environment.
Before You Begin
Prerequisites
-
ECA and Eyeglass system
ECA SetupWorking ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.
-
ML Module server
ML Server SpecsServer with 4 CPU cores, 16GB RAM, 100GB storage. See VM Guide.
Required Configuration Details
Before starting the installation, gather these essential connection and authentication parameters:
| Required Information | Description | How to Obtain |
|---|---|---|
| ML module IP address and port | Connection details for ML server | Run kubectl -n haproxy-controller get services |
| ECA node IP addresses | All ECA server IPs | See ECA management guide - run ecactl cluster exec hostname -I to list all node IPs |
| Eyeglass server IP | Eyeglass management server address | Check your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM |
| Eyeglass token | Authentication token for API access | Generate through Eyeglass Integrations section |
| Eyeglass public key | RSA public key for secure communication | Run cat /opt/superna/eca/data/common/.secure/rsa/isilon.pub on any ECA node |
| Kafka connection info | Streaming data service details | Run ecactl cluster exec hostname on ECA master to get Kafka node hostnames |
Installation and Configuration
Configure ML Module
Configure the machine learning environment and set up threat detection parameters to optimize for your security needs.
Connect ML Module Components to ECA
Install and configure ML Module components to connect with your ECA environment, enabling data flow for threat detection.