An Introduction To Threat Hunting & Log Analysis
Welcome to an introduction to threat hunting and log analysis. In this webinar, we are going to use a capture-the-flag scenario to introduce you to the fundamental concepts of threat hunting.
In this scenario, our host (Corey Thuen) has been sought out as an expert to help an organization investigate a potential breach.
The threat hunting team lead has a hypothesis that the attackers were able to obtain access through the SSH daemon in April.
It is our task to test that hypothesis and provide a report of activity during that period.
As part of this webinar will walk through the analysis of the logs using the Gravwell platform and determine:
- How many entries are there for this period?
- How many failed entries are there for this period?
- Provide a time series bar chart of users who have successfully logged in during this time and the query used to generate it.
- Provide a geographical map of all login attempts (successful or not) during this time and the query used to generate it. (our network enrichment kit will help)
- How many successful logins occurred during this period?
- Provide a stack graph chart of the count of successful authorizations by accounts and their login methods.
Using our findings we will complete the CTF scenario to:
- Confirm or reject the threat hunting hypothesis.
- If confirmed, we will provide evidence of compromise.
- If rejected, we will provide evidence or searches backing that conclusion.