Skip to content

Introduction to the Threat Hunt Dashboard

Threat hunting is a proactive approach to cyber defence. It can be defined as the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.

The Threat Hunt Dashboard allows its users to follow a structured process of proactively hunting and detecting advanced threats that are known to have evaded the existing security controls. Its an excellent platform to pursue continuous monitoring of the organisational infrastructure assuming that the attackers have already penetrated the network.

A well-designed threat hunting approach plays a vital role in thwarting cyber attacks by detecting covert indicators of compromise (IOCs). Once the IOCs are detected a comprehensive mitigation strategy is formed with existing incident response mechanisms.

Below are some threat hunting tools featured in the Threat Hunt Dashboard of the Crystal Eye XDR. Please note that these threat hunt components are explained in detail in the linked pages below:

Threat Summary

The Threat Summary is an excellent setup to monitor a variety of variables that influence organizational threat hunt tasks. The data collected in the overview dashboard helps in continuous monitoring of indicators that determines whether there is an eminent cyber threat existing in the network.

Threat Dashboard

The Threat Hunt Dashboard is a monitoring platform having the ability to detect and respond to the ever-evolving cyber security threats targeted towards the Crystal Eye XDR network. The Threat Hunt Dashboard provides enhanced visibility into the following aspects of the CE XDR network:

  • Events recorded by the Intrusion Detection and Prevention System module of the CE XDR.
  • Web Requests made from a particular device.
  • Web Requests blocked by the CE XDR’s web filtering module.
  • Top Network Users (based on the download and upload size measured in megabytes).
  • Top Devices (based on the number of downloaded and uploaded packets).
  • Top Network IPs (based on download size and upload size measured in megabytes).
  • Top External IPs (based on download size and upload size measured in megabytes).
  • Top Protocols (based on the traffic size associated with the protocol)
  • Top Device MAC & IP addresses (based on the traffic size associated with the device)
  • Top Protocol classification/category based on the traffic size associated with it.
  • Top applications (based on the traffic size associated with it)
  • All IDPS alerts escalated from the CE XDR.
  • All AV alerts in the CE XDR.
  • All escalated AV alerts.
  • Artificial Intelligence analysis of alerts.

Network Threat Hunting

The Network Threat Hunting section provides an excellent network analysis platform for threat hunters and system administrators. Its ability to provide a holistic view of Network Activity, Protocol Activity and Application Activity ensures compliance with ISO 27002:2022 (Control 8.16 Monitoring Activities).

The data from network activity can help in detecting large spikes in data usage. Such abnormal spikes in network traffic, if not caused due to a rise in business activities could be due to a malicious activity in the network. Application activity can be analysed to measure application related data usage by users and devices in the network. Further on, protocol activity provides granular level visibility of the top protocols used by devices in the network.

Gaining insights from the data generated from network, protocol and application activity provides deep visibility of user device-based activities proving an excellent baseline for network threat hunting.

AI and Escalation Reports

Crystal Eye XDRs AI and Escalation Reports displays Escalated IDPS Alerts, AV Alerts, Escalated AV Alerts and AI Alerts uplifting organisational threat monitoring and response capabilities.

Such optimized monitoring and response activities intended to find anomalies in the network through IDPS alerts, AV Alerts and AI Alerts reduces the risk of a breach and also ensures compliance with ISO 27002:2022 (Control 8.16 Monitoring Activities).

The human-machine teaming approach integrated into the CE XDR provides the capability to escalate anomalies detected in the IDPS alerts to Red Piranha’s Security Operations Team. Similarly, the AV Alerts also gets listed and can also be escalated and the list can then be reviewed under the Escalated AV Alerts section.

Active Session

The Active Session dashboard helps in tracking bandwidth usage by network interfaces and provides real-time data related to active network sessions established by end-clients in the Crystal Eye XDR network.

The Bandwidth utilization monitoring dashboard is designed to supplement threat hunt tasks where the primary goal is to detect unusual bandwidth usage spikes caused by C&C communication by malware.

Malware predominantly infiltrates network and communicates with its command & control server. Such a repetitive process causes unusual spikes in bandwidth usage. Monitoring bandwidth usage by network interfaces & devices also helps in highlighting the top talkers in your network building a system to see the consumption of the top sources.