Threat hunting¶
Plixer One Enterprise can enhance any team’s threat-hunting capabilities by providing them with centralized access to rich, contextualized data accounting for every host and conversation in a network.
Through Plixer Scrutinizer, Plixer One Enterprise is also able to provide real-time alerts for generic malware and other anomalous traffic/activity, drive efficient workflows with its purpose-built UI, and integrate multiple threat intelligence functions. This gives teams the ideal starting point for their threat-hunting operations.
Overview¶
Plixer Scrutinizer plays two integral roles as part of a security team’s threat-hunting program:
Collects traffic and host data for the entire environment (including assets in the cloud), storing hundreds of thousands of data points for investigations
Provides centralized access to all available data through various contextual views and reporting functions
This allows SecOps teams to efficiently search through and analyze device-level behavior and host conversations to search for suspicious activity and potential threats. Historical data can also readily be accessed to hunt for indicators of attack (IoA).
Visibility and workflow enhancements
Security teams using Plixer One Enterprise can leverage the following functions and features to hunt for threats:
- Alarm Monitor
The Alarm Monitor provides real-time alerts for anomalous behavior and other network activity violating Plixer Scrutinizer Alarm Policies. It functions as both a monitoring view for suspicious traffic and an interface for drilling into activity timelines and individual Event artifacts, and more.
- Customized reports
To further investigate Alarms/Events, users are able to run reports that can be tailored to their exact visibility requirements. These reports can also be used to drill deeper into specific data elements to identify infected hosts or malicious activity.
- Configurable detection mechanisms
Configuration options for Flow Analytics algorithms and the Plixer ML Engine allow users to tailor Plixer Scrutinizer’s monitoring and detection functions to their specific requirements. This ensures that detections are always relevant and can greatly reduce investigation/response times for security teams.
Note
Plixer One Enterprise includes additional detection techniques and mechanisms for security events.
- Host indexing
With the Host Indexing FA algorithm enabled, a user is able to look up any IP address, find out whether or not the host has been seen on their network, and explore all activity associated with it. From the search results, the user can pivot directly to any applicable report and further investigate anomalous traffic originating from or targeting the host.
See also
For additional details on incident response workflows with Plixer Scrutinizer, see this use case.
Workflows¶
The following workflows are sample scenarios where the functions/features bundled with Plixer Scrutinizer are used in threat-hunting activities: