2026-04-07 01-22-58_Clip_Clip-02-02_Clip

May 31, 2026 23:36 · 14:04 · English · Whisper Turbo · 2 Выступающие
Этот протокол истекает сегодня. Модернизация для постоянного хранения →
Только показываю
2:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Before an organization is ready to actually perform
2:46
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
any threat hunts,
2:47
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
there are some steps that need to go in for preparation
2:52
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
in order to be successful in the threat
2:56
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
hunting process.
2:57
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
So some of those steps are going to consist of having the right threat hunting
3:01
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
personnel.
3:01
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And this could be threat hunting teams or just individuals who are doing
3:06
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the threat hunts.
3:07
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that may have multiple different responsibilities as well.
3:10
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And we'll talk about a lot of these in more detail either in this course or
3:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
in later courses as part of the threat hunting learning path.
3:18
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Making sure we have the correct data and the appropriate
3:22
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
data.
3:23
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is going to be your logs,
3:24
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
your events from all the appropriate sources across the
3:29
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
infrastructure for the organization.
3:31
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And we'll talk about specifically what kind of things should be logged
3:35
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
in a later video in this course.
3:38
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
making sure we have the appropriate tools to collect
3:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
those logs and all of the events in one place
3:47
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
to aggregate them together,
3:48
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and then a place to assist with the analysis.
3:52
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
A lot of times that's going to be the same system.
3:55
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And then whatever additional tools might be needed as well,
3:59
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
like maybe packet capture or packet analysis utilities.
4:04
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
For more advanced threat huts,
4:06
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
maybe a memory analysis or disk analysis utilities,
4:10
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
those two are typically going to be more of your digital forensics types of tools.
4:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
But again,
4:15
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
for the more advanced threat huts,
4:17
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
they can definitely come in handy.
4:20
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And then making sure that the hunters have proper access
4:24
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
to not just the tools they need and the logging systems,
4:29
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but additionally to any of the systems that might need
4:33
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
further in -depth analysis.
4:36
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Now, in some cases,
4:38
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
this may be handled by more of the incident response team,
4:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but it's still a good idea to make sure the threat hunters have access to them as
4:46
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
well if needed.
4:48
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And then making sure that the organization has access to the proper
4:53
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
intelligence information.
4:54
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is going to be sources of information about current threats,
4:58
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
about new threats.
5:00
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And this can be either internally generated or come from an external
5:04
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
source like a paid intelligence feed or an open
5:08
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
source intelligence source.
5:10
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And we'll talk about threat intelligence specifically in
5:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
a separate course in this learning path as well.
5:17
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
So let's start by talking about the threat hunting teams.
5:21
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
It's kind of a loose definitions for these threat hunting teams.
5:24
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
There's not really standard definitions for these.
5:27
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
It's really going to be based on the size of the organization,
5:30
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the industry the organization is a part of,
5:32
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
what systems the organization has,
5:35
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and just the general needs of the organization when it comes to threat hunting.
5:39
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
But we start out with what's known as an ad hoc threat hunter.
5:43
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is going to be usually one person that may have multiple
5:48
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
different job roles in the IT department,
5:50
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
maybe the security department.
5:53
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is typically going to be something you find in much
5:57
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
smaller organizations that may either have no formalized
6:01
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
cybersecurity team or maybe just a very small security
6:05
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
team.
6:06
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Again, this person is going to have multiple different roles,
6:09
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
typically just in the IT department itself.
6:12
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Most of these threat hunts are going to be very specifically task
6:16
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
-oriented.
6:17
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
They're going to not occur very often just from the simple fact that the infrastructure
6:22
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
is probably going to be smaller and there's going to be just less time for
6:26
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that individual to be able to carry out the threat hunts.
6:29
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And threat hunts in an organization this size are going to be...
6:33
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
I don't want to say less important,
6:35
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but less critical to the security because they're
6:40
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
just less of a target.
6:41
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Now, again,
6:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that is going to depend on the risk assessment for the organization.
6:46
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And again,
6:47
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
these aren't really standard definitions.
6:50
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is just a kind of a place to start out to figure out what these may look
6:54
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
like.
6:54
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
So moving up from there,
6:55
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
we have usually an individual person or maybe a couple of people
7:00
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
in an organization that have multiple roles again,
7:03
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but very more specific.
7:04
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
They have roles of being an analyst and a threat hunter,
7:08
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
so specifically in cybersecurity.
7:10
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is going to be most common in a lot of your medium -sized organizations.
7:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is going to be where your analyst or a SOC analyst
7:18
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
is also going to be responsible for threat hunting.
7:22
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Those two skills.
7:23
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
very commonly go very well together.
7:26
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
A good threat hunter typically makes a very good analyst and the
7:30
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
other way around as well,
7:31
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
because a lot of threat hunting is analysis of data and
7:35
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
kind of drawing conclusions and kind of chasing down
7:39
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
what's happening in the infrastructure based on that information.
7:44
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And then we have our dedicated threat hunting teams.
7:47
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
These are going to be found in your much larger organizations.
7:50
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
They're the most specialized out of all of this.
7:53
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is where you have typically several members as part of this team,
7:57
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and their sole purpose is threat hunting.
8:00
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Again, mostly found in your larger organizations,
8:03
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
maybe government agencies and things like that,
8:07
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
where it's a dedicated team that does nothing but threat
8:11
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
hunting.
8:12
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
The next here we will look at is what kind of software and
8:16
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
various types of systems are needed in an organization to be prepared
8:20
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
for threat hunting.
8:22
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Threat hunting involves going through and analyzing and looking through
8:26
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
data, and it requires that data to be in place and be accessible
8:30
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
before the hunt can occur.
8:33
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is typically going to come from logs from multiple different
8:37
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
systems that are all pulled into one central location,
8:40
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
typically into what is known as a SIEM or SIM,
8:44
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
depending on how you want to pronounce it.
8:45
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This stands for a Security Information and Event Management
8:50
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
System.
8:51
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This also,
8:52
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
most of the time,
8:54
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
is going to provide the location for searching those logs
8:58
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
as well.
8:59
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
You can search the logs in kind of one dashboard,
9:01
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and you can search the logs across those multiple systems because they're all pulled
9:06
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
from those systems into one location.
9:08
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Two of the most common pieces of software for this are Splunk and
9:12
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
what's known as the Elk Stack.
9:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Elk in this situation,
9:16
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
or in this instance,
9:17
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
there we go.
9:18
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Stands for Elasticsearch,
9:20
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Logstash,
9:21
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and Kibana.
9:22
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Three different tools kind of lumped into one utility here.
9:27
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Other tools that are usually or that are very commonly found with threat hunts
9:31
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
are packet capture and packet analysis tools.
9:34
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
The most common one that you see is going to be Wireshark.
9:38
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
You'll see that most often.
9:40
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
There are several other tools,
9:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Wireshark being the most common.
9:44
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
It is cross -platform,
9:46
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
so it can be used on various different systems.
9:49
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Then we can't forget our antivirus and EDR systems,
9:52
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and we talked about these before.
9:54
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
They're not a replacement for threat hunting.
9:57
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Threat hunting isn't a replacement for them,
9:59
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
I guess, is what I should have said there.
10:01
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
But the information that comes out of them can be unique.
10:05
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
These systems can provide a lot of additional information and data
10:09
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that might not be included in other logs.
10:12
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And when we're performing threat hunts,
10:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
more information is always good because it gives us more places
10:18
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
to look and just more data that can be used for that analysis.
10:22
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And then our threat intelligence information.
10:25
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Again,
10:26
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
there's many different places this can come from.
10:29
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Again,
10:30
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
multiple different types of data feeds,
10:32
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
whether they're paid or open source,
10:34
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
an in -house team that's generating and creating threat
10:38
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
intelligence reports,
10:39
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
usually going to be in your larger organizations,
10:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
third -party vendors,
10:43
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
there's a number of different locations where threat intelligence
10:48
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
can come from.
10:48
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Again,
10:49
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
We're going to talk about threat intelligence in a lot more detail in another
10:54
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
course in this learning path.
10:56
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Then we get into our preparation for our logs.
11:00
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
So we've gone over kind of that we need logs,
11:03
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but we need to make sure that we have the logs that
11:07
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
we need,
11:07
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the appropriate logs,
11:09
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that they are all being collected ideally in one location,
11:13
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
saved in that location.
11:15
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And we're talking about logs from endpoints across the environment,
11:20
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
any servers,
11:21
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
network devices,
11:22
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
our authentication servers,
11:24
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
cloud systems,
11:25
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
applications.
11:26
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Pretty much anything that connects to the network and can generate logs
11:31
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
is a good source of information for threat hunting.
11:34
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
So we're collecting all of those logs,
11:36
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but we need to keep an eye on how long we are keeping those logs
11:40
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
for.
11:41
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is what's referred to as our log retention.
11:44
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
They have to be kept for an appropriate amount of time.
11:47
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
An appropriate is going to have a different definition in every
11:51
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
organization.
11:52
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Some organizations may have legal requirements for how long they keep logs,
11:56
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
but a lot of the retention here is going to vary
12:00
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
based on
12:02
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the amount of logs being collected,
12:05
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the storage space available for those logs,
12:08
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
because naturally,
12:10
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
if you're collecting more logs,
12:12
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
you're going to need more storage.
12:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And if you have this kind of a
12:18
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
static amount of storage and you're collecting more logs,
12:21
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that means you have to retain them for a lower amount of time.
12:25
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
So it's kind of a balancing act there between how long
12:29
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
you maintain those logs,
12:31
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the volume of logs you're collecting,
12:34
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
the number of systems you're collecting from,
12:36
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
and how much space you can allocate for those
12:40
S… Speaker 2 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
logs.
12:41
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And very frequently,
12:42
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
it's important,
12:44
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
especially with Windows systems,
12:45
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
to have some additional software.
12:48
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
to kind of provide more detailed logs.
12:51
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And in Windows systems,
12:52
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
we're specifically looking at a tool from Microsoft's Sysinternals
12:57
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
suite known as Sysmon.
12:59
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is an application that can be installed on systems
13:03
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
that can generate a lot more information in the logs themselves.
13:07
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
And by the access information,
13:10
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
they have specific events IDs that it's
13:14
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
can be included in these logs that are very useful in threat hunting.
13:18
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
For example,
13:19
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
we can see here on Microsoft's website
13:23
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
for Sysmon,
13:25
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
they're kind of given examples of some of the event IDs,
13:28
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
such as event ID 1 that comes in when new processes
13:32
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
are created.
13:35
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Event ID 3 is a good one to use for threat hunting.
13:38
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This one is logged when new network connections,
13:43
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
either TCP or UDP,
13:45
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
are made on a specific machine.
13:47
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Processes being ended,
13:51
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
various images being loaded,
13:53
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
remote threads can be useful.
13:55
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
This is when a process is creating a thread in another
13:59
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
process.
14:00
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
Very common,
14:01
S… Speaker 1 (2026-04-07 01-22-58_Clip_Clip-02-02_Clip)
a technique used by malware to inject.

Эта запись была составлена АИ (автоматическое распознавание речи). Политика МА

❤️ Любите STT.ai? Расскажите друзьям!
Резюме
Нажмите Нажмите Обобщение для составления резюме этой стенограммы.
Резюмируя...
Спросите AI об этом писце
Спросите что - нибудь об этой стенограмме — МА найдет соответствующие разделы и ответ.