Manage Hunting Rules

Cytomic Orion analyzes the telemetry data flow sent by computers on the network, looking for suspicious event patterns that could belong to the Cyber Kill Chain (CKC) of a cyberattack. Each of these patterns is stored in a hunting rule, and the cyberattack radar compares them against the telemetry data to generate indicators when a positive match occurs.

In Cytomic Orion, there are two possible sources for hunting rules:

• Cytomic analysts and automatic machine learning (ML) systems. They continuously analyze the flow of events received to create and test new hunting rules. These rules are visible to all Cytomic Orion clients.

• Each SOC analysts, who can generate their own hunting rules. These rules are visible only to the analysts’ organization.