2

Lately I'm confused about threat hunting vs SIEM Use case creation.

The threat hunting resources I have read can be created as a SIEM use case. Then why should I perform it manually in the name of hunting?

How exactly does hunting differ from SIEM use case?

Improve this question

2 Answers 2

Reset to default
1

How exactly hunting differs from SIEM Use case

To simply break this down and answer this question above, when you handle alerts & events with SIEMS it involves a reactive approach. Whereas for Threat Hunting, it harness a more proactive approach. Basically aiming to be a step ahead of threats instead of being on the receiving end of them. Just this alone separates the use cases for both of this specialties.

However, Threat Hunting and SIEM should be able to coexist and is highly recommended to be used together and not either or. The Data gathered from your organization/infrastructure can be used as a set of benchmarks and guidelines and to aggregate said data for analysis and threat hunting.

A succinct guide for Threat Hunting, basic touchpoints

Improve this answer
1

When I ran into the phrase "threat hunting" 5 years ago, I was confused. It was being treated as, and talked about, as some sort of highly specialised activity requiring special skills and techniques. But I saw it as the basic, fundamental activity of a security analyst: you review the logs, look for anomalies, and chase down things that don't look right.

And from that angle, there is no difference between doing that and devising new SIEM use cases, except that a SIEM use case automates the specific process.

However, the term "threat hunting" has been mutated beyond its original meaning, just like people use the term "AI" when they really mean "statistical analysis". Threat hunting can mean "log analysis" in some contexts or it can mean "discovering something no one has discovered before".

Threat hunting is a free-form exploration of complex data to look for anomalous patterns. In its pure form, it cannot be automated.

A SIEM automates specific searches and analyses, usually based on the results of threat hunting where it is possible to look for a specific pattern. SIEMs can't find a novel pattern within complex data; humans can.

So, there is overlap between the two activities and one can lead to the other.

Improve this answer
2
  • Thank, good explanation indeed.. will I get atleast one example
    – Guru
    Commented May 26, 2021 at 12:06
  • 1
    Example: I developed SIEM alerts for traffic on the perimeter firewall. The "normal" stuff like unexpected protocols, brute forcing, traffic volumes. But I also spent time looking through the traffic logs for "anomalies". I had no idea what I was looking for, just "stuff that didn't look right" I found traffic from the network to a country that was unexpected. Not a "red flag" country, though. I had no reason to suspect it, but it was out of place. After a 2 week investigation, it turned out to be very malicious but in a way that no one had seen before. That's threat hunting.
    – schroeder
    Commented May 26, 2021 at 12:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .