AI Threat Hunting — Chat-Driven Investigation by SD Unified Platform

Interactive TH chat interface

Threat hunting in legacy SOCs is a query-and-pivot exercise. The analyst writes an ES query, scrolls through hits, copies a timestamp, writes a follow-up query, pivots to a different index, repeats. Hunts that should take 20 minutes take 2 hours.

SDP AI Threat Hunting replaces the query-and-pivot loop with a chat-style interface. The analyst types a hunt question — “show me anomalous outbound DNS in the last 24 hours for Tenant X” or “trace any lateral-movement indicators from this initial access alert” — and a next-generation reasoning model executes the hunt across the customer telemetry estate.

The chat surface supports:

• Multi-turn reasoning. Pivot from “show me anomalies” to “now correlate with identity events” without rewriting the query.
• Inline evidence rendering. Process trees, network flows, identity events render in the chat thread.
• Hunt artefact export. Save the hunt as an investigation packet, attach to a Zoho SDP ticket, surface in the SDP-Portal.
• Audit capture. Every hunt is logged with prompt hash, tenant scope, model, and token usage.

The chat is purpose-built for senior threat hunters — it does not pretend that AI replaces the analyst. It removes the friction between hypothesis and answer.

Multi-tenant investigation scope

Every hunt runs within a configurable investigation scope:

• Tenant filter. Restrict the hunt to one or more customer tenants. Senior hunters with cross-tenant clearance can hunt across the estate for cross-customer threat patterns (e.g. a new ransomware variant hitting two FIs simultaneously).
• Time range. Configurable from 15 minutes to 90 days. Default 24 hours.
• Source filter. Restrict to specific telemetry sources (endpoint, network, identity, SaaS) for focused hunts.

Multi-tenant scope is the unlock that lets a Simply Data senior hunter spot a campaign hitting multiple Malaysian banks within the first hour of indicator emergence. This is the analyst-side benefit of an MSSP with depth across regulated industries.

Sample hunt: ransomware lateral movement

A realistic hunt walk-through. (Tenant and host details fictionalised.)

Hunter prompt: “Tenant X, last 48 hours — investigate any indicators of lateral movement following the initial SMB anomaly on host APP-DB-03.”

Step 1 — Initial access correlation. AI pulls the SMB anomaly event, identifies the source IP and authentication context, surfaces the originating endpoint (WORKSTATION-MKT-12).

Step 2 — Endpoint pivot. AI queries WORKSTATION-MKT-12 process telemetry for the 4-hour window preceding the SMB anomaly. Surfaces suspicious PowerShell session with encoded payload.

Step 3 — Identity correlation. AI pulls authentication events for the user signed-in on WORKSTATION-MKT-12. Surfaces an anomalous MFA-prompt-accept event at 02:14 — outside the user’s normal pattern.

Step 4 — Lateral movement chain. AI walks the SMB session chain: WORKSTATION-MKT-12 → APP-DB-03 → APP-DB-04 → FILE-SRV-01. All within a 22-minute window. All using the same compromised credentials.

Step 5 — IoC extraction. AI extracts the encoded PowerShell payload hash, the source IP for the anomalous MFA accept, the C2 domain referenced in the decoded payload. Drafts an IoC list ready to push into Automation Hub hash-blocking.

Step 6 — Investigation packet. AI generates the customer-facing investigation narrative, attaches evidence, drafts the Zoho SDP ticket, surfaces in the SDP-Portal for the tenant security lead.

Elapsed time: under 6 minutes. The same hunt by hand against a SIEM with hand-written queries typically takes 45-90 minutes. The AI does not replace the senior hunter — the hunter is steering throughout — but it removes the query-typing tax.

Why this matters operationally

In a regulated environment — BNM RMiT 14-hour incident reporting, PDPA breach notification, Cyber Security Act 2024 reporting — the difference between a 6-minute hunt and a 90-minute hunt is the difference between meeting the regulatory window with documented evidence and missing it.

The audit chain is the second benefit. When the regulator asks “how did you determine the scope of the breach?” — SDP returns the hunt artefact: prompts, evidence pulled, conclusions drawn, model used, token cost. The investigation is reproducible.

How AI Threat Hunting is operated

AI Threat Hunting is operated by the Simply Data SOC team on behalf of customers. Customer-facing visibility into hunt activity, MITRE technique coverage, and hunt outcomes is exposed through the SDP-Portal.

Hunt cadence:

• Continuous L1/L2-driven hunts — agentic AI triage in the Security Command Centre routinely surfaces patterns that warrant a deeper hunt; the SOC team picks these up and drives them through AI Threat Hunting.
• Scheduled hunts — Simply Data SOC team runs scheduled MITRE-technique coverage hunts for each tenant on a documented cadence (typically weekly for critical-tier tenants).
• Ad-hoc hunts — driven by emerging threat intelligence (e.g. a new ransomware variant emerging in regional FI), regulatory advisories (MyCERT, BNM bulletins, NACSA advisories), or customer requests.
• Incident-driven hunts — every confirmed incident triggers a post-incident hunt to ensure full scope is understood and no related indicators are missed.

Customers can request specific hunts through their account manager or through the SDP-Portal ticket interface. Hunt artefacts are attached to the customer ticket and visible in the portal investigation history.