Sqrrl’s latest release, version 2.6, delivers a host of fresh new features to the industry-leading Threat Hunting Platform. With a focus on enhancing user experience and hunting workflows, this new release makes it easier than ever to dive into your data and start proactively detecting threats.
By combining big data, analytics, investigation, and now newly enhanced hunting workflow capabilities into a single tool, Sqrrl Enterprise continues to revolutionize the industry standards for a Threat Hunting Platform. Sqrrl’s hunting approach focuses on identifying, gathering and acting upon an adversary’s Tactics, Techniques and Procedures (TTPs) in order to rapidly detect and mitigate threats in your network.
Sqrrl 2.6 introduces a number of new features that improves how analysts conduct investigations, further lowering the barrier of entry to threat hunting. Here are some of the new features added to Sqrrl to make hunting for advanced threats more streamlined than ever:
After an initial investigation of a detection, analysts may often be able to assess whether the TTP detectors may or may not have accurately discovered real malicious activity. In Sqrrl 2.6, an analyst can now assign a classification based on their assessment of the detection results. The classification indicates whether they believe that the detection result is an actual instance of malicious activity or is a false positive. The detection result icon color and shading reflect the current classification status. This allows analysts to share the results of their investigations with their teams at a glance and ensures that there are no redundancies in investigations.
Classifying a data staging detection as a false positive after investigation reveals a non-malicious source of the activity
The classification categories for detections include:
Not classified - The initial classification of a detection result,
True Positive - The detection is believed to reflect an actual instance of malicious activity.
False Positive - The detection is believed to not be an instance of malicious activity was detected in error.
Unknown - Indicating that a user was unsure of whether the result is malicious.
Detections cleared as false positives also no longer impact the risk score of related entities, and when a detection result is dismissed it no longer displays on the detections dashboard. Users can always see a list of dismissed detection results, if there is need to go back in order to review a classification and reopen a detection.
Tagging for Detections and Entities
When undertaking a hunt, analysts may want to make note of entities or behaviors of interest. They may also want to note specific assets that they need to keep their eyes on. With the new tagging feature introduced in Sqrrl 2.6, users can now annotate entities and behaviors with user-defined tags. Analysts can use tags to enable custom searches and provide additional context such as asset categorization or behavioral attribution. This makes it easier than ever to conduct crown jewel analysis and “keep your eyes on the prize”. Hunters can use tags to provide their peers with additional context as they share investigations as well as make it easier to remember the details of an entity when returning to a long-running investigation. A new search field on the query panel allows you to search for detection results and entity instances that have a specific tag.
Tags added by an analyst to a detection after triage, discovering that the lateral movement was carried out via a Pass the Hash technique
To help users track analysis actions that have been performed on entities and detections, Sqrrl now maintains historical annotations for every entity. These historical annotations can include a variety of information, including when the data point was first created, changes to classifications, changes to risk scores, and dismissals and reopenings. Historical information is invaluable for understanding how data, behaviors, and risks have evolved over time, and for viewing how collaboration over a given asset or suspicious finding has been carried out.
Other new additions to the Sqrrl solution to come in version 2.6 include:
- A variety of data storage and management improvements.
- Kerberized HDFS, allowing for installation of Sqrrl on Kerberos-enabled clusters.
- Sqrrl’s beacon detection capabilities have been extended to detect beacons from IPs to URLs.
- Export formats for indicators found in a hunt have been expanded to now also include .csv formats.
These features and more are now available in Sqrrl Enterprise, enabling users to more effectively than ever hunt for threats on their networks and in their datasets. Click the link below if you are interested in a demo of Sqrrl's Threat Hunting Platform.