Skip to main content
All CollectionsCyber ResilienceRansomware RecoveryThreat Hunting
Get started with Threat Hunting
Get started with Threat Hunting

Provides an overview of the Threat Hunting feature.

Updated this week

Overview

Threat hunting is a proactive approach to cybersecurity that involves actively searching for signs of malicious activity within an organization's network or systems. Rather than waiting for alerts or incidents to occur, threat hunting involves systematically looking for indicators of compromise (IOCs) that may indicate an ongoing or potential security threat.

The primary goal of threat hunting is to detect threats that may have evaded traditional security measures and minimize attackers' dwell time within the network. By identifying threats early, organizations can mitigate potential damage and respond more effectively to incidents.

Threat Hunting plays a crucial role in enhancing the overall cybersecurity posture of an organization by complementing traditional security measures with proactive detection and response capabilities.

Key Benefits

  • Malware IoC Search: Efficiently hunt for malware Indicators of Compromise (IoCs) within your VMware backups. Quickly identify and assess potential threats

  • Infection Scope and Timelines: Gain insights into the scope of the infection and timelines

  • Quarantine infected snapshots: Automatically quarantine infected VMware snapshots to prevent reinfection and further spread of malware

    ❗Important: Auto-quarantine and Quarantine features are not supported for AWS Workloads (EC2 and EBS Volume).

  • Rich Metadata: Use the rich metadata presented in Threat Hunting results to aid investigation and incident response workflows

Our Solution

Threat Hunting is a comprehensive security feature that empowers backup administrators and infosec professionals with advanced threat hunting capabilities with focus on backup data.

The following video provides an overview of the Threat Hunting feature.

With this capability, you can create and initiate an on-demand Threat Hunt for backed-up data to search for indicators of compromise (IOCs). It also allows auto-quarantining of the impacted snapshots.

❗Important: Threat Hunting is available with a Premium Security SKU license. Contact sales or support to procure the license.

Supported Workloads for Threat Hunting

Enterprise Workloads

  • VMware

    • Windows -

      • Microsoft Windows Server 2022

      • Microsoft Windows Server 2019

      • Microsoft Windows Server 2016

      • Microsoft Windows Server 2012 R2

      • Microsoft Windows Server 2012

    • Linux -

      • Red Hat Enterprise Linux (RHEL) 7.0 , 7.5

      • CentOS 7.0 , 7.5

      • Ubuntu 22.04, 20.04, 18.04, 16.04, 14.04

      • SUSE Linux Enterprise Server 12, 12 SP3

    For supported VMware file types for Threat Hunting, see Disks, partitions and, files for File Level Restore (FLR)

  • EC2

    • Windows -

      • Microsoft Windows Server 2022

      • Microsoft Windows Server 2019

      • Microsoft Windows Server 2016

    • Linux -

      • Red Hat Enterprise Linux (RHEL) 9.4, 9.3, 8.10

      • CentOS 8.5

      • Ubuntu 24, 22, 20

      • SUSE Linux Enterprise Server 15.6

      • Amazon Linux 2023

      • Amazon Linux 2 - 5.1

      • Debian - 12

      • Oracle Linux - 8.10

      • Fedora - 38

  • EBS Volume Types:

    • gp3, gp2, io2, io1, sc1, st1

For more information, see Feature Support EC2.

Supported Partition Types and File Systems for AWS Workloads (EC2 and EBS Volume)

  • Partition Types

    • Primary

    • Extended

    • Logical Disk Manager (LDM)

    • Windows

      • Basic disk (Partition type: MBR/GPT)

      • Dynamic disk (Partition type: MBR. Partition can have simple or spanned volume)

      • Dynamic disk (Partition type: GPT. Partition can have all volume types)

    • Linux

      • MBR (Simple/Spanned/Mirror/Striped)

      • GPT (Simple/Spanned/Mirror/Striped)

  • File Systems

    • NTFS

    • FAT

    • FAT32

    • Ext 4/3/2

    • XFS

    • Btrfs

How to use Threat Hunting?

Prerequisites

Common prerequisites (Applicable to both VMware and AWS Workloads-EC2 and EBS Volume)

  • Ensure that the backup is successfully completed for the required resources on which you want to run the Threat Hunt job. After the successful backup, the data is prepared for threat-hunting.

  • At least one of the total resources must be Threat Hunt ready to create a Threat Hunt job for a specific workload.

Prerequisites for VMware Threat Hunting

  • For VMware resources Threat Hunting: The VMware backup proxy version installed must be 7.0.2 or higher.

  • For VMware resources Threat Hunting: For backup policies with CloudCache configured, only the data synced to the Druva cloud is available for Threat Hunting. Ensure the data is synced.

Prerequisites for AWS Workloads (EC2 and EBS Volume) Threat Hunting

  • For AWS Workloads (EC2 and EBS Volume), the Threat Hunting feature applies to air-gap backed-up AWS resources to Druva Cloud. For more information related to airgap data protection of AWS Workloads, see Airgap Data Protection of EC2 Resources.

It takes only 4 steps to get started with this feature:

Step 1: Create a new Threat Hunt to find backed-up suspicious or malicious data.

Step 2: Monitor Threat Hunt jobs from the Threat Hunting dashboard. Use the Download Report option to analyze the scan results reported in detail.

Step 3: Auto-quarantine impacted snapshots to isolate impacted snapshots by default to prevent accidental restores and reinfection.

❗Important: Auto-quarantine and Quarantine features are not supported for AWS workloads (EC2 and EBS Volume).

Step 4: View the Threat Hunt results using the Threat Hunting Dashboard page.

Related Keywords

threathunting

VMware

EC2

Related Articles
Create a New Threat Hunt
Quarantine snapshots
Threat Hunting Dashboard
Troubleshooting and FAQ's for Threat Hunting
Duplicate, Delete, or Cancel a Threat Hunt job
Did this answer your question?