Overview
Threat Hunting is a comprehensive security feature that empowers infosec and backup administrators with advanced threat detection and scanning capabilities.
With this capability, you can create a new Threat Hunt and initiate an on-demand scan job for backed-up data to search for indicators of compromise (IOCs) and identify malicious files. You can quarantine the snapshots with malicious files to prevent further damage.
This feature supports SHA1 file hashes and file extensions as scan parameters or Indicators of Compromise (IOCs) to search for and find malicious files within the backed up data.
❗Important: Check the prerequisites before you begin creating a new threat hunt.
The following graphic provides an overview of Threat Hunting steps:
Procedure
To create a new threat hunt job, perform the following steps:
Log in to Cloud Platform (DCP) Console.
On the DCP Console dashboard, under Cyber Resilience, click Threat Hunting.
On the Threat Hunting landing page, click New Threat Hunt to create a new Threat Hunt job.
On the Threat Details page, enter the following details:
Threat Hunt Name
Description (Optional)
In the Scan Criteria section, specify the scan parameters as per your requirement and then click Next.
Scan for file hashes: Enable this option to scan files based on their SHA1 file hashes. You can choose to provide custom file hashes or use predefined file hashes
Select the Specify file hashes checkbox and enter the custom SHA1 values. You can type in or copy-paste SHA1 values. To import a large number of SHA1 values, use the Import via CSV option.
Scan with predefined file hashes: Select this option to allow scan based on predefined file hashes. Predefined file hashes are SHA1 values that you have already provided in the Malicious File Scan Settings for Malicious File Scan feature.
Scan for file extensions: Enable this option to scan files based on their extensions.
Select the Specify file extensions checkbox and enter the custom file extensions for scan. You can type in or copy-paste file extensions.
On the Resources tab, select the resources to scan. Click to search for resources. Specify the following details and click Search.
Select Organization
Select VCentre/ESxi Host
Enter Virtual Machine details
From the list of resources displayed, select the threat hunt ready resources (Virtual Machines) that you want to scan.
In the Snapshots to Scan section, specify a date range for scanning snapshots for the selected resources. The range should not exceed 60 days. Threat hunting supports 500 resources.
Click Next.
On the Actions tab, enable the Auto Quarantine option to automatically quarantine all snapshots containing malicious files within the specified date range.
Click Finish. Your new Threat Hunt job is initiated and queued. The details are available on the Threat Hunting dashboard page.
Things to consider
Threat Hunting using file hashes are supported for files up to 100 MB in size. Files such as log, evtx, evt, db, sqlite, frm, idb, mdf, pst, and ost are permanently excluded regardless of their sizes due to their nature of constant change.
When enabled, the Threat Hunting feature's initial configuration may take several hours to a day for a virtual machine with a size of 500 GB to 1 TB.
For backup policies with CloudCache configured, only the data synced to the Druva cloud is available for Threat Hunting.
The time taken to complete a Threat Hunt job depends on multiple variables, such as the Threat Hunt Scan Criteria (number of hashes, number of extensions), resources selected (number of VMs, number of backups, size of the data), and the number of matches against the scan criteria. For a typical clean scenario, the time taken is around 10-15 minutes, but it may be higher in a few corner cases.
Next Steps
The Threat Hunting dashboard page allows you to monitor the status of threat hunt jobs. After completing a threat hunt job, you can Download a Report for further investigation.