Skip to main content
All CollectionsCyber ResiliencyRansomware RecoveryThreat Hunting
Create a New Threat Hunt
Create a New Threat Hunt

Provides information about creation of a new threat hunt job for resources.

Updated over 2 weeks ago

Overview

Threat Hunting is a comprehensive security feature that empowers infosec and backup administrators with advanced threat detection and scanning capabilities.

With this capability, you can create a new Threat Hunt and initiate an on-demand scan job for backed-up data to search for indicators of compromise (IOCs) and identify malicious files. You can quarantine the snapshots with malicious files to prevent further damage.

This feature supports file hashes and file extensions as scan parameters or Indicators of Compromise (IOCs) to search for and find malicious files within the backed up data.

Important: Check the prerequisites before you begin creating a new threat hunt.

The following graphic provides an overview of Threat Hunting steps:

Procedure

To create a new threat hunt job, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu ->Ransomware Recovery.

  2. Select Threat Hunting from the left navigation menu.

  3. On the Threat Hunting landing page, click New Threat Hunt to create a new Threat Hunt job.

  4. On the Threat Details page, enter the following details:

    1. Threat Hunt Name

    2. Description (Optional)

  5. In the Scan Criteria section, specify the scan parameters as per your requirement and then click Next.

    1. Scan for file hashes: Enable this option to scan files based on their file hashes. You can choose to provide custom file hashes or use predefined file hashes

      1. Select the Specify file hashes checkbox and enter the custom SHA1, SHA-256, or MD5 values. You can type in or copy-paste SHA1, SHA-256, or MD5 values. To import a large number of SHA1, SHA-256, or MD5 values, use the Import via CSV option.

      2. Scan with predefined file hashes: Select this option to allow scan based on predefined file hashes. Predefined file hashes are SHA1 values that you have already provided in the Restore Scan Settings for Restore Scan feature.

    2. Scan for file extensions: Enable this option to scan files based on their extensions.

      1. Select the Specify file extensions checkbox and enter the custom file extensions for scan. You can type in or copy-paste file extensions.

    You can obtain the file hashes or file extensions from a security advisory.

  6. On the Resources tab, select the Resource Type to scan. From the list of resources displayed, select the threat hunt-ready resources (Virtual Machines/EC2 and EBS Volume) that you want to scan. Specify the following details and click Search.

    For VMware -

    1. Select Organization

    2. Select VCentre/ESxi Host

    3. Enter Virtual Machine details

    For EC2 -

    1. Select Organizations

    2. Select AWS Accounts

    3. Select Region. You can choose a specific region or all regions as per your requirements.

    4. Select Match. You can select either of the following match criteria - Resource Name or Tags.

      1. In case of Resource Name match criteria, select resources from the list

      2. In case of Tags match criteria, select the required tags from the list

      For more information, see <Link to EC2 documentation>

  7. In the Snapshots to Scan section, specify a date range for scanning snapshots for the selected resources. The range should not exceed 60 days. Threat hunting supports 500 resources.

  8. Click Next.

  9. On the Actions tab, enable the Auto Quarantine option to automatically quarantine all snapshots containing malicious files within the specified date range. This is applicable only for VMware resource type.

  10. Click Finish. Your new Threat Hunt job is initiated and queued. The details are available on the Threat Hunting dashboard page.

Things to consider

  • Threat Hunting using file hashes are supported for files up to 100 MB in size. Files such as log, evtx, evt, db, sqlite, frm, idb, mdf, pst, and ost are permanently excluded regardless of their sizes due to their nature of constant change.

  • When enabled, the Threat Hunting feature's initial configuration may take several hours to a day for a virtual machine with a size of 500 GB to 1 TB.

  • VMware: For backup policies with CloudCache configured, only the data synced to the Druva cloud is available for Threat Hunting.

  • The time taken to complete a Threat Hunt job depends on multiple variables, such as the Threat Hunt Scan Criteria (number of hashes, number of extensions), resources selected (number of resources, number of backups, size of the data), and the number of matches against the scan criteria. For a typical clean scenario, the time taken is around 10-15 minutes, but it may be higher in a few corner cases.

Next Steps

The Threat Hunting dashboard page allows you to monitor the status of threat hunt jobs. After completing a threat hunt job, you can Download a Report for further investigation.

Related Keywords

threathunting

VMware

EC2

EBS Volume

Related Articles
Get started with Threat Hunting
Threat Hunting Dashboard
Troubleshooting and FAQ's for Threat Hunting
Duplicate, Delete, or Cancel a Threat Hunt job
Download Report for a Threat Hunt job
Did this answer your question?