Support Center > Search Results > SecureKnowledge Details
SandBlast Agent Threat Hunting Onboarding Technical Level
Solution

Threat Hunting - Onboarding

Supported versions:

  • Agent Version
    • Recommended version - E84.10 and above
    • Minimal supported version - E84.10 (see full feature mapping below)
  • Management version
    • Cloud only, web management
    • Management version - R80.40 and above

Onboarding - 2 Steps:

  1. Enable Threat Hunting in the Endpoint Policy section.
  2. Apply the policy.
Proceed as follows:
  1. Go to 'Policy section > Threat Prevention > Analysis & Remediation tab'.


    Or 'Policy section > Forensics > Analysis & Remediation tab"

  2. Once the Analysis & Remediation tab is visible, you should see the Enable Threat Hunting toggle switch.

  3. Toggle Enable Threat Hunting to "ON"
  4. Save the policy, click on the "Install Policy" button, and then click "Install".



  5. Once the policy is pushed out to the agents, give it a few minutes until data is sent by the agents. Then go to the Threat Hunting tab to start searching through events:



Troubleshooting

  1. No data available for hunting
 
    1. Ensure you have the minimum supported versions of Management and Agents
    2. Check that Threat Hunting is enabled in policy, as detailed above.
    3. Check that the policy is applied on at least one working agent.
    4. Check that the agent with the relevant policy is connected to the Management.
    5. Known Cloud Infra bug - clear browsing history and re-login to the portal.
  1. Threat Hunting is disabled
    1. Check that Threat Hunting is enabled in policy, as detailed above.
    2. Check that the policy is applied on at least one working agent.
  2. Not seeing data older than a week
    1. The default retention period is 7 days so you should not be able to see data older than 1 week.
    2. Exception - if you have the “extended retention” license.
  3. Not seeing some of the data types / remediation options
    1. Refer to the feature mapping below

Feature to agent version - mapping



Version General Remediation Collection
E84.10
  • Query capabilities
  • Predefined queries
  • Reputation enrichment
  • Drill down capabilities
  • Filter capabilities
  • Prevention alerts info (detection events)
  • Classification based filter in query
  • Classification support in API
  • Remediation APIs
  • Custom notifications
  • Quarantine file
  • Analyze full attack
  • Kill process
  • Remediate full attack
  • Kill full attack
  • Process
  • Network
  • File
  • Registry
  • Named Object
  • Injection
  • Remote logon
  • WMI execution
  • Detection event
  • Scripts
E84.20

  • Isolate machine
E84.30
  • WMI get
  • Remote and local logins
E84.40
  • Remote execution
  • Service creation
  • Process discovery
  • Application window discovery
  • Scheduled task
  • Screen capture
  • Input capture
  • DDE (Dynamic Data Exchange)
E84.50
E84.60
  • Process termination via push ops
  • Zip content
  • Remote execution enhancements

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment