...
The navigation panel contains the following set of links to pages of the DeepTrace user interface:
Link | Icon | Details |
Dashboard |   | Provides a general overview of:
|
Traces |   | Displays the traces that depict suspicious activities or attacks in a searchable table format. |
Devices |   | Shows a list of the devices implicated in the traces with the highest risk scores. |
Search |   | Enables users to conduct ad-hoc searches for processes exhibiting suspicious behavior and hence to trigger investigations as a result. |
Hunt |
| Enables users to browse the results of hunts that map to MITRE ATT&CK framework tactics and techniques. It also enables users to configure new hunts. Once refined and validated, these can be converted to new cadence-based threat detections. |
Triggers |   | Shows the triggers that started autonomous investigations. |
Monitor |   | Enables users to view Performance data, Statistics, Health data, and the list of monitored devices. |
Administration |   | Enables users to manage DeepTrace configuration settings, such as wh itelists and data adapters. |
Log out |   | Logs the current user out. |
...
DeepTrace analyzes traces to detect similarities. The Traces page enables the user to display similar traces together as groups. This can be a useful way to arrange traces and detect repeating patterns of activity across your infrastructure.
...
Sorting:
The traces table can be sorted by clicking on the following column titles: ID, Risk, Start Date, End Date and Title.
...
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the network graph and the evidence table by the selected time range.
...
To filter the evidence by device, click on a node in the graph. This filters the table to show the evidence for the selected device.
...
To filter the evidence by a network connection, click on a link in the graph.
...
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the matrix’s evidence by the selected time range.
...
To filter evidence by metadata, use the metadata dropdowns above the time series chart.
...
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the process graph and the evidence list by the selected time range. Note that graph nodes become grayed out once they are filtered out; they are not removed from the graph in order to preserve the graph’s hierarchical integrity.
...
To filter the evidence by a specific process, click on a process node in the process graph. This filters the list to show the evidence for the selected process. If you click on a process which is not associated with any evidence, then no evidence will be shown in the list but you can still view process details, such as the command line, process ID and other properties.
To filter the evidence by metadata, use the metadata dropdowns above the time series chart.
...
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
...
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Whitelist: Click here to open a popup that allows you to add this process to DeepTrace’s whitelist. You will be given the choice to whitelist either the process name, full path, or command line. Whitelisted items no longer generate evidence in future autonomous investigations.
...
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the evidence list by the selected time range.
...
To filter the evidence by metadata, use the metadata dropdowns above the time series chart.
Each piece of evidence is associated with metadata (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections are applied simultaneously to the time series chart and the evidence list.
...
Rather than displaying the full list of all devices monitored by DeepTrace, the Devices page highlights the devices implicated in traces with elevated risk scores. The list is generated by first scanning the riskiest traces within a time range of your choosing. A list of implicated devices is extracted from those traces. Each device is then assigned a cumulative risk level based on the severity of the trace evidence for that device. The Devices page displays the device list sorted from highest risk level to lowest.
...
| Info |
|---|
To browse a list of all monitored devices, regardless of their risk assessment, navigate to the Monitor > Devices page. |
Clicking on a device in the list redirects you to the Device page for that selected device. On the Device page is detailed information about the device, including the list of traces in which the device is implicated, the list of processes detected on the device, and additional device statistics.
...
To toggle between the Table display and the Graph display, use the two toggle buttons in the middle-right of the page:
...
Note that both Table & and Graph displays use color coding to indicate the severity of the evidence, ranging from blue (low) to red (high). The Table in particular uses separate color coding for the process name and the expander arrow. Whereas the process name is color coded by the evidence for that process, the expander arrow is color coded by the evidence for its descendant processes. Thus the expander arrow’s color coding can help guide you to the nested processes that have interesting evidence.
...
Click in the chart to move the light blue slice to a different window of time. The selected time window is shown in text below the chart.
...
| Info |
|---|
Your time window is 10 minutes by default. You can modify the width of the window using the light blue dropdown. |
...
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
...
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Investigate this Event: Click here to open a popup that allows you to trigger an autonomous investigation based on this process. You are prompted to choose an initial time window around the process in which to investigate suspicious activity. If suspicious activity is detected, the investigation generates a new trace.
...
Sorting: The hunts table can be sorted by clicking on the following column titles: Enabled/Disabled, Title, Status, Author, Created & and Last Run.
Browsing the hunt results
...
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
...
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Investigate this Event: Click here to open a popup that allows you to trigger an autonomous investigation based on this process. You are prompted to choose an initial time window around the process in which to investigate suspicious activity. If suspicious activity is detected, the investigation generates a new trace.
...
Managing Hunts
The Hunt page supports managing hunts, including editing, duplicating and deleting hunt configurations.
...