What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?
What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?
To differentiate testing, DevOps, or general user activity from adversary behavior, a threat hunter would benefit from a User Search page. This page allows the correlation of user activity across endpoints and helps identify anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files, which are indicative of adversary behavior.
User Search is a search page that allows a threat hunter to search for user activity across endpoints and correlate it with other events. This can help differentiate testing, DevOPs, or general user activity from adversary behavior by identifying anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files. Reference: https://www.crowdstrike.com/blog/tech-center/user-search-in-crowdstrike-falcon/
The question is asking "user activity", so the answer is D. User Search
D. User Search
In addition, there is no "domain search" menu as such. There is "bulk domains".