OBJECT

ThreatHuntConfig

Description

Config as the input to start a threat hunt.

link GraphQL Schema definition

  • type ThreatHuntConfig {
  • # Criteria to restrict files to scan.
  • fileScanCriteria: MalwareScanFileCriteria
  • # List of IOCs to scan for.
  • indicatorsOfCompromise: [IndicatorOfCompromise!]!
  • # Maximum number of matches per shapshot, per IOC. Scanning for an Indicator Of
  • # Compromise within a snapshot will terminate once this many matches have been
  • # detected. Defaults to one.
  • maxMatchesPerSnapshot: Int
  • # Name of this threat hunt.
  • name: String!
  • # Notes to describe this threat hunt.
  • notes: String!
  • # Additional information required for files with malware matches.
  • requestedMatchDetails: RequestedMatchDetails
  • # Specifies whether features that rely on the accuracy of filesystem metadata,
  • # like creation time and modification time of files, are enabled or not. These
  • # features include backend optimizations to skip re-scanning files that have not
  • # changed across snapshots, as indicated by the unchanged timestamps of files.
  • # This flag also gates access to some filters that can be specified in this API.
  • # Note that this flag should be used with caution, as relying on file timestamps
  • # may make the system vulnerable to adversarial techniques such as timestamp
  • # manipulation.
  • shouldTrustFilesystemTimeInfo: Boolean!
  • # Limit which snapshots to include in the threat hunt.
  • snapshotScanLimit: MalwareScanSnapshotLimit
  • # UUID used to identify the cluster the request goes to.
  • clusterUuid: String!
  • # The objects to be scanned for malware.
  • objects: [CdmHierarchySnappableNew!]!
  • }

link Require by