Threat hunting — searching across your security events

Threat Hunting is proactive search across your security event log — going looking for trouble rather than waiting for alerts. The platform lets you query the full event corpus by source, user, IP, file hash, command, time range, or any combination.

To start a hunt:
1. Security → SIEM → Hunt tab
2. Build a query in the search bar:
• Free text: "powershell.exe -enc"
• Field filter: source:windows AND user.name:administrator
• Time range: last 7 days, custom date range, or "since last alert"
3. Run → results appear in a tabular view with the matching events
4. Click any row to expand the full event detail
5. Save query — it joins your saved hunts and can be promoted to a detection rule

Common hunts to start with:
• Suspicious PowerShell — encoded commands, downloads, base64
• New admin accounts created — events from your AD source filtered to user.action:create AND target.role:admin
• Lateral movement — failed logins from internal IPs across multiple hosts in a short window
• Data exfiltration — large outbound transfers to external IPs (size > 100MB AND destination.country != "US")
• Persistence — new scheduled tasks, new services, registry runkeys

Wally-assisted hunts:
• Open Hunt → "Ask Wally to help" → describe what you're worried about in natural language
• Wally drafts a query, runs it, summarizes findings, and offers next steps
• Examples:
◦ "Find any sign of golden ticket attacks in the last week"
◦ "Show me all admin actions taken outside business hours"
◦ "What's our exposure to the latest CVE in the news?"

Saving and promoting:
• Save a hunt → reusable; appears in your saved hunts list
• Promote to detection rule → the hunt query becomes a continuous monitor that triggers an alert when matched
• Share saved hunts with other org admins — useful for standardized hunts across security team

Limits:
• Searches scoped to your org's event log (no cross-org visibility — except for platform admins)
• Retention is 90 days by default; longer retention is a paid add-on
• Wildcards work but are slower — prefer exact field matches when possible