The following article provides information about FAQ's and troubleshooting Threat Hunting issues.
What license is required for Threat Hunting?
What license is required for Threat Hunting?
Threat Hunting is available with the Premium Security SKU license.
For which workloads is Threat Hunting supported?
For which workloads is Threat Hunting supported?
This capability is supported only for VMware-backed-up resources.
Which operating systems for VMware are supported for Threat Hunting?
Which operating systems for VMware are supported for Threat Hunting?
Windows and Linux operating systems are supported. For more details, see Supported workloads for Threat Hunting.
How to use the Threat Hunting feature?
How to use the Threat Hunting feature?
It just takes 4 simple steps to use this feature:
Step 1: Create a new Threat Hunt to find backed-up suspicious or malicious data.
Step 2: Monitor Threat Hunt jobs from the Threat Hunting dashboard. Use the Download Report option to analyze the scan results reported in detail.
Step 3: Auto-quarantine impacted snapshots to isolate impacted snapshots by default to prevent accidental restores and reinfection.
Step 4: View the Threat Hunt results using the Threat Hunting Dashboard page.
What scan parameters are used for Threat Hunting?
What scan parameters are used for Threat Hunting?
File hashes (SHA1 values) and file extensions scan parameters or Indicators of Compromise (IOCs) are used to search and find malicious files within the backed up data. For more information, see Create a New Threat Hunt.
What do we mean by predefined file hashes?
What do we mean by predefined file hashes?
Predefined file hashes are SHA1 values that you have already provided in the Malicious File Scan Settings for Malicious File Scan feature.
How much time does a Threat Hunting job take to complete?
How much time does a Threat Hunting job take to complete?
The time taken to complete a Threat Hunt job depends on multiple variables, such as the Threat Hunt Scan Criteria (number of hashes, number of extensions), resources selected (number of VMs, number of backups, size of the data), and the number of matches against the scan criteria. For a typical clean scenario, the time taken is around 10-15 minutes, but it may be higher in a few corner cases.
What is the file size limit for scan using file hash scan criteria?
What is the file size limit for scan using file hash scan criteria?
Threat Hunting using file hashes are supported for files up to 100 MB in size. Some examples of files beyond 100 MB file sizes are log, evtx, evt, db, sqlite, frm, idb, mdf, pst, and ost.
What are the prerequisites for Threat Hunting for VMware?
What are the prerequisites for Threat Hunting for VMware?
Ensure that the backup is successfully completed for the required resources on which you want to run the Threat Hunt job. After the successful backup, the data is accessed for Threat Hunting readiness.
At least 1% of the total resources must be Threat Hunt ready to create a Threat Hunt job for them.
For VMware resources Threat Hunting: The VMware backup proxy version installed must be 7.0.2 or higher.
For backup policies with CloudCache configured, only the data synced to the Druva cloud is available for Threat Hunting. Ensure the data is synced.