Hunting Settings

PreviousVisualization NextThreat Response

Last updated 4 months ago

All settings related to classification and threat intelligence synchronization are configured in this section.

Classification Engine Settings: This section allows users to change time intervals for data collection synchronization of classification rules. Users can configure the next run time for specific intervals.

Threat Intel Artifact Sync Settings: This section allows users to change time intervals for notification settings synchronizations, event log and sysmon rules synchronizations, Windows security controls synchronizations, threat intel artifact synchronization and asset categories synchronization.

Threat Intel Rule Sync Settings: This section allows users to change time intervals for threat intel rule synchronization, remediation function synchronization, Windows forensic(Yara Rules) analysis synchronization, Windows threat monitor rules synchronization, Windows object and honeypot access rules synchronization.

Asset & Threat Analysis Settings: This section allows users to change time intervals for threat detection rules and synchronization, Windows threat monitoring and asset health and threat analysis synchronization.

Forensic Analysis Settings: This section allows users to change time intervals for Windows forensics analysis settings.

GRC Settings: This section allows users to change time intervals for GRC settings.

Security Control Synchronization Settings: This section allows users to change time intervals for security control frameworks, benchmarks and control types synchronization settings.

Windows Command Templates Synchronization Settings: This section allows users to change the time interval for Windows command template synchronization.

Enrichment Settings: This section allows users to enable/disable portal futures and change the artifact enrichment interval. It is recommended to leave it by the default values.

Agent & Sensor Settings: This section allows users to edit agent and sensor settings by changing event log and sysmon settings, users can also change the default intervals for specific usage.

Visualizer Queries: This section allows users to create custom visualizer queries like powershell-cmd activities, RDP queries, sensitive commands, etc. For creating a new query, users have to assign a name, a description for exploration of the query, and a base query. Also, default queries can be cloned, edited, and deleted.

Time-Based Analysis Queries: This section allows users to create custom queries for time-based analysis. Once it is created, users can see the result by clicking the "Visualizer" button. Also, default queries can be cloned, edited, and deleted.

Windows Security Software Settings: This section allows users to create or change the software info. The portal searches for the security software with the default settings by default. However, if the software name changes by companies or new software is released, users can edit the existing rule or create new software info by clicking the "+Software" button or clone the existing one.