Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Quick Start: Your First Hunt

Once files are flowing into your Stairwell environment, you can start hunting for threats. There are two common approaches depending on whether you have a specific indicator to investigate or are looking for unknown threats.

Path A: Investigate a known IOC

Use this approach when you have a specific hash, IP, or domain you want to check against your environment.

  1. Search for the IOC. Navigate to Search and enter the hash, IP address, or domain. Stairwell will return any matching objects in your environment.
  2. Review the Mal-Eval score. On the object detail page, check the Mal-Eval score and verdict to understand the automated risk assessment.
  3. Check AI Triage. If the object has been flagged or scored highly, review the AI Triage summary for a full analysis including variant associations, YARA matches, and behavioral signals.
  4. Check Sightings. Navigate to the Sightings tab to see every asset where this object has appeared and when it was first and last seen. This tells you the scope of exposure across your environment.

Path B: Proactive threat hunt

Use this approach when you have no specific indicator but want to surface suspicious files in your environment.

  1. Open Search. Navigate to Search and use the query builder or structured filters to explore your environment's objects.
  2. Filter by Mal-Eval score. Apply a filter for objects with a Mal-Eval score greater than 70. This surfaces files that automated analysis considers likely malicious.
  3. Review AI Triage on high-scoring files. Select individual high-scoring objects and review the AI Triage summary to understand why they scored highly and whether they warrant further investigation.
  4. Document findings. For confirmed threats or objects requiring team review, create a Threat Report to capture IOCs, analysis notes, and affected assets in a shareable format.

Next steps

  • Set up YARA rules to automate detection of specific patterns
  • Configure alert integrations to push findings to your SIEM or SOAR
  • Explore Threat Reports to check your environment against published threat intelligence

Updated 5 days ago