Hunt collections enable you to search endpoints for suspicious activity to contribute to helping resolve the investigation.
Select hunt collections when you want to search for a specific activity across a large number of hosts. Hunt Collections gather more details about where something occurred. For example, use a hunt to find which endpoints executed a piece of malware, which users accessed a particular file, or which endpoints a specific user authenticated to.
When adding a new hunt collection, you can select from various artifact types for Windows, macOS and Linux.
In the New Hunt Collection wizard, in the Hunt Collection Name, enter a name that will be easy to find in the collections table.
Select the Platform, Windows, macOS or Linux.
Select one of the time range options:
One Time Collection: Run the hunt collection only once.
Repeat Collection Every: Run the hunt collection every x hours set.
Schedule: Range of days during the week and time frame.
In Description , enter information that is relevant to the collection you are creating.
In Maximum Concurrent Endpoints, enter the maximum number of endpoints that will run the searches at the same time within the time range specified. The default is 200 endpoints.
On the Configuration page, refer to Configure Collection for information about each artifact.
Note
You can save hunts in an incomplete state and edit them later. After a hunt has run, you cannot edit it. Instead, you can duplicate the hunt with the same configuration.