Indicators and Hunting Rules

In most cases, SOC analysts begin the hunting process after a new indicator or hypothesis has appeared. Cytomic Orion generates an indicator when it detects a behavior that could belong to the Cyber Kill Chain (CKC) of a cyberattack in the telemetry collected from a client's computers. This hypothesis is analyzed by Tier 1 technicians to determine whether it is a false positive or a possible threat to be investigated. The filtering process is known as ‘indicator triage’ and aims to deliver to Tier 2 technicians hypotheses that correspond to anomalous situations that should be investigated in greater depth.