Documentation
Get StartedGetting Started

Start Hunting

Execute high-speed searches across parsed artifacts to identify threats and pivot between data points. Hunting is performed against the Elasticsearch index generated during the Processing phase.

Accessing the Hunt Interface

  1. Select Case: From the Cases sidebar, open the target investigation case.
  2. Initialize Hunt: Click the Hunt button in the case page.

Enter Hunt Module

Analysis Views

The Hunt interface provides two primary modes for data interrogation:

Dashboard View (Visual Aggregation)

The default view provides a statistical overview of the case index via interactive widgets. Use this to identify outliers or volume spikes.

Hunt Dashboard Analysis

Table View (Raw Data Analysis)

Switch to Table View to perform granular line-item inspection. Click any row to expand the Record Detail panel for a full field-level breakdown.

Tabular Record Inspection

Investigative Actions

  • Pivot: Click values within the Record Detail panel to instantly apply them as new search filters.
  • Export: Select Export to CSV to move filtered results into external analysis tools.
  • Tagging: Bulk-select records to apply case-specific tags.

INFO

Hunting performance is optimized when specific filters are applied.

Process Triage Package

Transform raw evidence into structured, searchable data. Triage packages serve as the container for uploaded artifacts and the execution context for parsing engines.

Case Management

Run incident and case workflows from intake through reporting in SandsBytes.

On this page

Accessing the Hunt InterfaceAnalysis ViewsDashboard View (Visual Aggregation)Table View (Raw Data Analysis)Investigative Actions