SentinelOne had a threat-hunting course that had a small presentation followed by a lab where I was given the opportunity to play around with the SentinelOne console and go hunting in a simulated environment. While I did not end up playing around in the environment for too long I did thoroughly enjoy both the presentation and getting to use SentinelOne. I like how everything is mapped out to the Mitre framework and it was a fairly easy to use console which is not always something you get with EDR solutions. All in all it felt like a clean solution that offers a lot of great features, some of which I got to test out in the lab. I'm posting my notes on the presentation below for anyone that would like to see how it was.
Working knowledge of defense procedures and systems such as SIEMs, endpoint security technologies and log aggregation methods
Extensive network terrain knowledge
Cant protect what you don't see or know
Understanding attack vectors that go beyond a list of IOCs
Adversarial tactics, techniques, and common knowledge
Based on real-world observations
Free, open, global
Shift from indicators to behaviors
Can apply non-technical defensive measures to technique
Threat hunters should have experience thinking and acting like an attacker
Red-teamer's mindset is moving through an organization undetected
Understand how to utilize exploits, how to elevate priveleges, and write scripts
Digital Forensics and Incident Response
DFIR knowledge equips a hunter with the foresight of knowing where to look for suspicious or anomalous behaviors and artifacts
Searching != Hunting
Searching is more tactical
More based on IOCs
Yes or no answers
Quick answers to immediate concerns
Hunting is more strategic
Unique network knowledge
Scientifically postulated and tested
Creating a hypothesis
What data is accessible/indexed/searchable
What information is within the data
What external information can I inject into a search
Where should the search focus?
How are you accounting for normal?
Does the query make it hard to filter out normal?
How useful are the results?
That's is for my notes from the lab, one last piece I have is a graphic from the powerpoint that I thought was a good visual so I grabbed a screenshot of it as you can see below