There are many ways to perform threat hunting in SNYPR.

In this training, we’ll cover

a few threat hunting scenarios using Investigation Workbench and Spotter.

1
2
1. The Investigation Workbench helps you investigate and manage high-risk entities
using different dimensions. It gives you a visual representation of connections
between users, IP addresses, systems, activities, and other relevant data involved
in an incident, and provides the ability to drill down into every action performed
by a user.

2. In the Investigation Workbench, you can pivot around any entity, across various
objects; for example, IP address, systems, or peer groups. You can click an entity
on the dashboard, and from the list of options, select the activity or information
you want to view. You can then save and share your investigation results with
other analysts.

4
1. Investigation Workbench is the best tool for a one-to-many analysis. For example,
You can use the investigation workbench to view all of the activity accounts held
by a user across all the resource groups in your environment.

5
1. Use the Investigation Workbench to investigation violations that have multiple
violators or events in multiple dimension to find analyze links.

6
1. Use the Investigation Workbench to investigation violations that have multiple
violators or events in multiple dimension to find analyze links.

7
1. Right click on a violator to start a new investigation.

8
1. Find more violations for the violation and click the violation to launch a new
search on Spotter.

9
1. View the Spotter search results to find additional information about the violator
and the violation.

10
1. Spotter is a powerful, natural-language search engine that uses normalized search
syntax and visualization techniques to provide you with the tools you need to
investigate current threats and trends, and track advanced persistent threats over
long periods of time.

12
1. View the Spotter search results to find additional information about the violator
and the violation.

13
1. Or edit the search results to see more activity for this account to find unusual
behavior like this spike in activity followed by no activity at all, indicating the
account is terminated.

14
1. Click the unusual spike in activity to see that these are all file download events,
which indicate data exfiltration before an account was terminated. Combined
with the Unusual rare process, this indicates an advanced attack might have
occurred with this account.

15
1. Sometimes the advanced attack has already been executed, but if you catch it in
time, you can mitigate the attack before it’s complete.

16
As you search Spotter, you will begin to recognize patterns and identify more
information that could be useful. You can create new fields as you search.
Each field value pair is a single search term. Use logical operators, such as AND and
OR, to link multiple search terms together. When you use the AND operator, both
search terms are matched within a document. When you use the OR operator, one of
the search terms are matched within a document. Use parenthesis to link a grouping
of search terms to be processed together, such as:

(Field Comparator Value Accountname = John.Doe)

In this example, Field is the attribute you desire to search. Comparator is the
comparison to be used for values of the field and Value is the term you desire to
search. Using an equals sign executes a CONTAINS search. So this search would return
only documents with the Accountname field saved as John.Doe.

18
The power of the Search function in Spotter lies in the use of operators to
refine and display your search result.

Search Operators tell the system how to locate, format, manipulate, and
display the data you want to see.

19
• Logical Operators are used to link multiple search terms together.

Example:
The Policy command searches for a specific policy to find violations. The
format supported for the date attributes to query is MM/dd/yyyy
HH:mm:ss.SSS.

Syntax: <policyname> <=> <value>

Example: policyname = “Accounts visiting Algorithmically Generated

Domains-1”; policyname = Logon_Failure

20
Steaming Operators execute an action on each document returned from
SOLR.

These include the EVAL functions. To use multiple streaming operators in a

single query, separate them by a pipe | ,

Example:
The DEC operator returns the decimal value.

Syntax: EVAL (store-field) = (DEC) ( field )

Example: resourcegroupname = BCP1 | EVAL x = DEC (

bytesin ); resourcegroupname = Email_sent_to_Users |
EVAL x = DEC ( bytesin ) | EVAL y = HEX(x)

21
Transforming Operators form the result set into structured data for
visualizations.

Typically these are your Statistical and Charts functions.

Only a single Transformation operator is allowed per search.

Example:
The BARCHART operator represents grouped data with rectangular bars
with lengths proportionate to the values they represent.

Syntax: BARCHART <field1> <count> <by> <field2> .... <field N>

Example: resourcegroupname = BCP1 | BARCHART ipaddress; STACKED:

BARCHART ipaddress by accountname; GROUP: BARCHART ipaddress
accountname; COUNT: BARCHART count by ipaddress; STACKED with
COUNT: BARCHART count by ipaddress accountname

22
Data Processing Operators action on the whole set, transformed or not.

Typically this is Order by and Where type operators.

Multiple data processing operators can be used in a single query

separated by a pipe.

Example:
The WHERE operator returns filtered results based on the condition

Note: WHERE command should be used with the following Operators: >
Greater than, >= Greater than or equal to, < Less than, <= Less than or
equal to

Syntax: WHERE <count> < = > <number>

23
Example: WHERE count > 35; With Top & ORDERBY - resourcegroupname =
OKTA | top accountname

23
You can search within any index into which you have imported data. SNYPR uses the
following indexes to store data:

• By default, Spotter searches the Activity index. You may specify the index
you would like to search. Using the syntax:
• index = < index > <and | or> <field> = <field value>

24
1. You can search for events by clicking the datasource from the Available
Datasources list on the Spotter Summary screen

25
1. You can search for events by event categorization to see events for all datasources
based on the event object, behavior, outcome, and/or the severity.

26
1. You can also search on an attribute to find events associated with the value.

27
1. From Spotter, you can search for violations in two ways:

• Search the Violations index in Spotter to find specific violations using the
syntax index = violation and policyname = “Landspeed Violation - Okta”

• Find violations on the Spotter Summary screen.

1. On the search bar, you can access other search options, including:

1. On the search bar, you can access other search options, including:

• Clear search query

• Save search results

• See more options

2. More Options: Use this option to access more options for searching including the
following:

28
• View Cached queries

• View Saved queries

• Update Cache

• Click Close to close the window and return to the current screen view

28
• You can filter search results by clicking an attribute from the Selected
Fields list on the left side of the search results. You’ll see a list of the
available values on which to filter.

29
1. Or you can click an attribute from within the search results to add the value to the
search.

30
1. Spotter allows analysts to save queries as widgets directly to a new or existing
Data Insights dashboard. To add a query as a widget, click the save icon and
select Save as Dashboard Widget. The Data Insights screen appears on the same
page, allowing you to quickly and conveniently save your query..

31
1. Sorting and filtering tools allow you to customize how you view your data, making
your search results more convenient to work with and easy to understand. When
you use the STATS, TOP, TABLE, or RARE command, Spotter enables you to display
results numerically or alphabetically in either ascending or descending order. You
can also filter a column of data to isolate the key components.

32
1. You can create different types of charts of visualize search results. For example,
create tables to view entities on a watchlist.

33
1. Create a bubble chart to compare the occurance of user id, ip address, and
sourceaddress

34
Security analysts can quickly highlight multiple points of interest at a time by viewing
data with the heat map. The heat map is a combination of nested, colored rectangles,
each representing an attribute element. The rectangles contain various shades of
colors that emphasize activity levels. Heat maps often help increase efficiency in
locating hot spots and provide the analyst with the ability to drill down into a data
set.

35
1. Or you can click an attribute from within the search results to add the value to the
search.

36
1. With GEOLINK, a security analyst can visualize the path between the origin and
destination of a source. This visualization is an excellent way for a security analyst
to quickly highlight areas of interest and locate hot spots that are communicating
to and from a network.

37
1. Spotter allows analysts to delete, import, and export saved Spotter queries. This
allows you to save frequent run queries and easily share data with other teams.

38
1. Or you can click an attribute from within the search results to add the value to the
search.

39
Finally, you can export search results in several file formats:
• PDF
• CSV
• XLS
• RTF
• TEXT
• DOCX

40