Versions Compared

Old Version 12

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version 13

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The navigation panel contains the following set of links to pages of the DeepTrace user interface:

Link

Icon

Details

Dashboard

Image RemovedImage Added

Provides a general overview of:

  • Traces

  • Devices

  • Triggers

  • Leads

Traces

Image RemovedImage Added

Displays the traces that depict suspicious activities or attacks in a searchable table format.

Devices

Image RemovedImage Added

Shows a list of the devices implicated in the traces with the highest risk scores.

Search

Image RemovedImage Added

Enables users to conduct ad-hoc searches for processes exhibiting suspicious behavior and hence to trigger investigations as a result.

Hunt

Image RemovedImage Added

Enables users to browse the results of hunts that map to MITRE ATT&CK framework tactics and techniques. It also enables users to configure new hunts. Once refined and validated, these can be converted to new cadence-based threat detections.

Triggers

Image RemovedImage Added

Shows the triggers that started autonomous investigations.

Monitor

Image RemovedImage Added

Enables users to view Performance data, Statistics, Health data, and the list of monitored devices.

Administration

Image RemovedImage Added

Enables users to manage DeepTrace configuration settings, such as wh

itelists and data adapters.

Log out

Image RemovedImage Added

Logs the current user out.

...

Why? Simply put, processes can come and go frequently. Some processes may run for weeks while others may run for less than a second. For this reason, process tree data can grow quickly. Browsing just a few minutes of process data can yield a large unwieldy dataset. For this reason, the three Device data views which show processes (namely: Processes view, Summary view & Raw Events view) only load a 10-minute window of process data by default. You still use a calendar to choose time ranges for these three views, but you must then also select a 10-minute window within the chosen time range.

...

To choose a 10-minute window, these three views display a time series chart. The chart spans the same time range that you select in the calendar. Your 10-minute window is shown as a light blue vertical slice within the chart. 

...

  • View Results: Click here to open a panel with the results of the hunt’s run(s)runs, if any. This is equivalent to the same as clicking on the hunt’s title.

  • Enable/Disable Hunt: Click here to toggle the hunt’s status between enabled and disabled.

  • Start Hunt: Click here to manually start a run of this hunt now regardless of its schedule.

  • Settings/Edit Hunt: Opens a popup for editing the hunt’s configuration. Users who have permission to edit the hunt see Edit Hunt; otherwise, this menu option says Settings and the popup only shows the hunt’s configuration as read-only.

  • Duplicate Hunt: Opens a popup for editing the configuration of a new hunt. The popup is automatically pre-populated with the same configuration settings as the selected hunt. Use the popup to make any changes needed, then click Save to save the configuration for this new duplicate hunt.

  • Delete Hunt: Deletes the hunt configuration and its run results (if any).

Configuring Hunts

The Hunt page supports creating the creation of custom hunt configurations and the editing the of configurations of your existing hunts.

...