Use Historical Hunting Data

Note

To use Historical Hunting Data, you can add a relevant data retention package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success Manager for details about this package.

Sometimes, as part of your threat hunting or incident analysis and response efforts, you will need to search through telemetry data across your organization for an extended period of time.

By default, the Cybereason platform retains non-malicious data for a short period of time after collection, while still retaining data and events related to MalOps for a much longer period. With Historical Hunting Data, in environments with the new Data Platform infrastructure, once you select a relevant data retention package, you can search through all the telemetry data in the period you select.

Historical Hunting data is useful for:

  • Proactive threat hunting: Find suspicious or malicious activity that has previously evaded existing controls and may be associated with a breach, as early as possible to disrupt the attacker and minimize damage

  • Retroactive hunting: Reactively apply intelligence from newly discovered historical attack campaigns for older datasets.

  • Deep investigation: After a breach, gain visibility into hunting data from a wider period of time to visualize the attacker’s activity, such as when the attack began, the initial point of attack, the number of machines and users compromised over time, and so forth

  • Compliance: Run searches periodically to comply with regular audits and verify compliance with specific policies.

To support Historical Hunting data, the Cybereason platform has 30, 60, and 90-day Hunting data retention packages. This enables the platform to store non-malicious data until the end of the selected time period.

Note

In order to use Historical Hunting Data, your Cybereason platform must use the new Data Platform infrastructure.

After enabling Historical Hunting data and selecting a data retention package, all collected telemetry data is moved to the “warm” data tier until the selected retention period ends.

To add one of these packages, contact your Customer Success Manager.

Once you select and activate your data retention package, you use the same queries you use for regular hunting and investigation activities. In addition, results from Historical Hunting data are also contextualized with data from associated MalOps and other detections from the Cross-Machine Correlation engine. In addition, queries run through the Cybereason API can search through Historical Hunting data.

For details on how to build queries, see Build a Query.