Today we announced the availability of Exabeam Threat Hunter, a new product that raises the bar for the UBA market. While UBA is focused on using data science to notify an analyst about users who deserve attention, Threat Hunter completes the picture by giving an analyst the ability to query, pivot, and drill down into user sessions that match any combination of attributes and activities. In short, if UBA is about the machine telling the analyst what to watch, Threat Hunter is about the analyst telling the machine what to find.
In the example above, a SOC analyst is concerned that a recent malware attack in the marketing department might not be completely removed. The analyst begins by using Threat Hunter to ask for every Marketing user who recently tried to perform account management (account creation, privilege escalation) and also had failed logons or an account lockout. Threat Hunter quickly returns all user sessions that fit the criteria, below:
The analyst filters the result set further by also asking for sessions where the password was recently changed. We see a web developer in the marketing group with many recent failed logons, account management activity, and password changes.
Clicking on this session, Threat Hunter instantly displays the activities within this employee’s session, the reasons behind the risk elevation, and her baseline behavior. For example, on the right we can see the times she is normally in the office and working. Taken together, the results show a user whose account has likely been compromised and is being used for data exfiltration or in preparation of some other attack.
Again, the analyst wasn’t required to understand the structure of the underlying logs nor the search language of the underlying SIEM system — Splunk expertise is not required. Threat Hunter puts advanced search tools in the hands of users who need them, enabling more effective detection of subtle attacks. Used with Exabeam’s flagship UBA product, Threat Hunter improves threat detection and SOC efficiency, making SOC and IR teams much more productive.
Want to learn more? Download a data sheet or register here for a live demo of Threat Hunter today.