Versions Compared

Old Version 1

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version 2

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
typeflat

Introduction

The Entity Analysis provides the analyst with a set of metrics for investigation: the number of Behavior Alerts, the number of SecOps Alerts, the number of Total Alerts, the Most Critical Alerts, and Related Entities.

The MITRE tactics and MITRE technique widgets help you to better understand the entity’s progression towards its increased risk. The MITRE tactics page display the tactics associated with the SecOps or Behavioral Alerts, while the MITRE techniques page display the techniques associated with the alerts. Use these pages to see how the entity has progressed in the ATT&CK framework and craft an attacker story. 

A timeline view of the entity’s risk score is also displayed. In our example further down, Tina Frederick performed some actions on February 23rd that set off alerts that significantly increased her risk score. 

  • Visualization of Entity Risk Score over

...

  • time

...

  • Visualization of Entity MITRE ATT&CK Tactics over

...

  • time

...

  • Visualization of Entity MITRE ATT&CK Techniques by risk:  

...

...

Investigation

Since Tina Frederick was identified as the highest risk entity in the Entity Dashboard, we will double down into her entity page to further investigate the root cause of the entity’s high risk score. To begin investigating Tina, first choose the time range you would like to see at the very top of the page (We we have chosen a 7-day time frame). The time range will be is reflected in the entity’s timeline and alert histories displayed. The Entity Analysis provides the analyst with a set of metrics for investigation. These include: # of Behavior Alerts, # of SecOps Alerts, # of Total Alerts, Most Critical Alerts, and Related Entities. A timeline view of the entity’s risk score over time is also displayed. In our example, Tina Frederick performed some actions on February 23rd that set off alerts that significantly increased her risk score. 

The MITRE tactics and MITRE technique widgets can help the user to better understand the entity’s progression towards its increased risk. The MITRE tactics page will display the tactics associated with the SecOps or Behavioral Alerts while the MITRE techniques page will display the techniques associated with the alerts. Users can use these pages to see how the entity has progressed in the ATT&CK framework and craft an attacker story. The MITRE tactic graph displayed above displays time on the X axis and the specific MITRE tactic on the Y axis. The bubbles in the graph display the amount of times that the tactic showed up for the specific time frame. For instance, in the example above, persistence was a frequently shown tactic on February 23rd. 

The MITRE technique page is color coded based on the risk score of the individual techniques. There is a table of contents that displays what each of the colors mean, with blue being the most benign and red being the most malicious. 

Alerts History

The Alerts HIstory History section of the page allows the user to see the original SecOps and Behavioral Alerts alerts that were triggered. The alerts are, by default, sorted by ascending order of alerts by time. Users can sort the alerts by several categories, including priority, risk score, and category. To further investigate the alert, users can click on toggle at the very right of the alert name to query the alert inside their Query App. 

Name

Description

Fields

...

Time: The time when the alert happened.

Name

...

The name of the alert. SecOps alerts will have the SecOps alert title, otherwise behavior alerts will be titled by their model name. 

Priority

...

This is the priority of the alert.

Category

...

Whether the alert is a SecOps or Behavior Alert.

Tactic

...

or Technique

...

The Mitre

...

Tactics or Techniques that are associated with the alert. 

Related

...

entities

Other entities that are associated with the particular alert. 

Within the Alert history a user History you can expand each alert to drill down and get more details about the alert definition and associated context gathered when the alert triggered.  The  The alert can be expanded to quickly show the description of what the alert is detecting, its LINQ query, and the associated data that contains other valuable context.   If users you want to drill down further into the alert they you can click on the magnifying glass button to pivot into Devo’s data search window to view the raw events that triggered the alert.