| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
Devo DeepTrace performs autonomous alert investigations and threat hunting using attack-tracing AI, advancing how security teams easily identify and rapidly investigate threats and secure the organization. Devo DeepTrace helps security teams autonomously investigate alerts and suspicious events and perform threat hunting via:
Fully documented attack chains that speed investigations: Building attack traces, which fully and chronologically document each attack chain.
An AI engine that augments analysts: Providing analysts with context and points of reference detailing the attacker’s path through an organization’s infrastructure by asking potentially hundreds of thousands of questions. The AI engine emulates how SOC (Security Operations Center) analysts investigate alerts, incidents, and suspicious behaviors.
Autonomous investigations that accelerate context-based decision-making: Autonomously traverses historical data to document an adversary’s behavior from start to finish of an attack, providing the facts analysts need to take effective action.
Autonomous threat hunting to up-skill analysts: Helps threat hunters quickly construct and configure new hunts that map to MITRE ATT&CK framework tactics and techniques. Once refined and validated, these can be converted to new cadence-based threat detections.
What is a trace?
Traces are key artifacts that fully and chronologically document suspicious activity detected across an organization's infrastructure. Traces are the results of autonomous investigations which detect suspicious activity.
Trace data consists of a set of observed activities and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. You can view a trace in DeepTrace as a variety of interactive visualizations, including a summary graph, a MITRE ATT&CK matrix, a process tree, and a detailed timeline.
What permissions do I need to use DeepTrace?
To grant specific Devo users permission to use DeepTrace, you need to manage roles in the Administration → Roles area of the navigation pane if you have the Manage version of the roles permission. If you only have the View version, you can access this area but you cannot modify anything.
...
In this area, you can create custom roles with a custom set of permissions to control the specific actions certain users can perform or the specific applications, activeboards, alerts, and lookups they can access in each domain.
DeepTrace in the Devo platform
Devo DeepTrace allows EDR (Endpoint Detection and Response) and other data to be brought into DeepTrace. You can ingest data into Devo via your chosen collector and the data is automatically transferred across into DeepTrace cache for processing—data cache ages out after about six weeks.
The combined deployment is configured to enable alerts and EDR data investigations using DeepTrace.Devo customers that have activated it in their domain have an additional tab in their navigation pane named DeepTrace.
...
Sending events and alerts to DeepTrace
There are two different ways to start sending events and alerts with Devo DeepTrace:
...
Status | Details |
No Trace | The investigation did not detect any threats. |
Trace Found | The investigation detected suspicious activity that needs your attention. |
Waiting | The investigation is in progress. |
Error | An error occurred which prevented the investigation from proceeding. |
DeepTrace user interface
The DeepTrace user interface enables security analysts to view the results of traces and hunts. Users can also configure new hunts, conduct ad-hoc searches, and trigger new investigations.
Navigation
In the Devo DeepTrace user interface, a navigation panel is shown along the left side of the window. The navigation panel is initially displayed in its compact state. Hovering your mouse along the far-left edge of the navigation panel causes it to expand.
...
Link | Icon | Details |
Dashboard |  | Provides a general overview of:
|
Traces |  | Displays the traces that depict suspicious activities or attacks in a searchable table format. |
Devices |  | Shows a list of the devices implicated in the traces with the highest risk scores. |
Search |  | Enables users to conduct ad-hoc searches for processes exhibiting suspicious behavior and hence to trigger investigations as a result. |
Hunt |
| Enables users to browse the results of hunts that map to MITRE ATT&CK framework tactics and techniques. It also enables users to configure new hunts. Once refined and validated, these can be converted to new cadence-based threat detections. |
Triggers |  | Shows the triggers that started autonomous investigations. |
Monitor |  | Enables users to view Performance data, Statistics, Health data, and the list of monitored devices. |
Administration |  | Enables users to manage DeepTrace configuration settings, such as wh itelists and data adapters. |
Log out |  | Logs the current user out. |
Traces page
Traces are artifacts that fully chronologically document each attack chain. Traces are generated by the autonomous investigations that detect suspicious activity. A trace’s data consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities.
Traces table
The Traces page loads the list of traces from the DeepTrace server and displays the list in a table format.
...
ID: Identifier of the trace. Click to open the Trace page for this trace in order to view the trace data in detail. To open the Trace page in a separate browser window, click the icon to the right of the ID.
Risk: Each trace is assigned a composite risk score from 0 (low) to 100 (high). The risk score is derived from the severity of the trace’s evidence data.
Start Date: The date and time of the first event in the trace.
End Date: The date and time of the last event in the trace.
Title: Click here to open the Trace page for this trace in order to view the trace data in detail.
Devices: The list of devices involved in the trace’s activity. Monitored devices can be listed by hostname; external devices can be listed by IP address. Click on the hyperlinked hostname of a monitored device to open the Device page and explore that device’s detailed data.
Tactics: The list of MITRE Tactics detected in the trace’s activity.
Evidence: The total count of evidence data generated for this trace.
Status: A trace can be marked as either “open” (needs attention), “closed” (has been resolved), or “ignored” (false positive, duplicate, or no action needed). Click here to change the status of a trace.
Filtering the traces table
At the top of the Traces page are three filters for determining which traces are loaded:
...
| Info |
|---|
To avoid overwhelming the browser’s memory, only the first 5,000 matches are loaded into the table. If there are more than 5,000 matches, a message appears below the table with a suggestion to use the filters to narrow your results. |
Refining the traces display
Above the table there are additional controls for refining the results and their display:
...
The traces table can be sorted by clicking on the following column titles: ID, Risk, Start Date, End Date and Title.
Changing the status of traces
To change the status of a trace, click on the dropdown in the Status column for that trace in the table.
...
To change the status of multiple traces simultaneously, first click the checkboxes beside each of those traces in the table. Then click on the dropdown above the table labeled “# selected”, where “#” is the number of traces you have checked.
...
Trace page
When clicking on a trace ID or title, the Trace page opens to show you the details of that trace. A trace is the result of an autonomous investigation that detected suspicious activity. The Trace page shows both information about the trace and the data captured by the trace.
Trace information
The header of the Trace page displays information about the trace itself, such as:
the trace ID and title
the start date and end date of the trace (the dates of the first and last events included in the trace)
the number of devices involved in the trace activities
the number of triggers which caused the trace to be generated (click here to view a list of the triggers)
the total count of evidence that was generated by the trace
the trace status
the severity of the trace (derived from the severity of all the evidence included in the trace)
Trace data views
Trace data generally consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. The Trace page can show this data in four views:
...
Each of these views is available as a tab near the top of the Trace page. Click any of these tabs to toggle between the views.
Trace Summary view
Click the Summary tab in the Trace page to view a summary of the trace data. Unlike other trace views, the summary view does not show all of the activity and evidence discovered by the trace. Instead, the summary view emphasizes the devices where the riskiest activities were detected.
...
Each piece of evidence is associated with metadata (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections are applied simultaneously to the time series chart, the network graph, and the evidence table.
Trace MITRE view
Click the MITRE tab in the Trace page to view the trace evidence mapped onto the MITRE ATT&CK Matrix for Enterprise. The matrix is an industry-standard categorization of adversary tactics and techniques. Across the top of the matrix are the MITRE tactics. Underneath each tactic are the MITRE techniques that correspond to that tactic.
...
Each piece of evidence is associated with metadata (device, domain, process, username, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections is applied simultaneously to the time series chart and the matrix.
Trace Processes view
Click the Processes tab in the Trace page to view the trace evidence mapped onto the process trees of the monitored devices involved in the trace.
...
Each piece of evidence is associated with metadata (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections are applied simultaneously to the time series chart, the process graph, and the evidence list. Similar to filtering by time, when graph nodes are filtered out by metadata they become grayed out; they are not removed from the graph in order to preserve the graph’s hierarchical integrity.
Trace Timeline view
Click the Timeline tab in the Trace page to view all the trace evidence in a single chronological linear display.
...
Choose an action from the Actions list, input whatever parameters are required by the action, then click Take Action to invoke the action and await its results.
Devices page
The Devices page shows a list of devices that are implicated in traces within a selected time range.
...
Clicking on a device in the list redirects you to the Device page for that selected device. On the Device page is detailed information about the device, including the list of traces in which the device is implicated, the list of processes detected on the device, and additional device statistics.
Device page
The Device page shows you the internal details of a selected endpoint monitored by DeepTrace. The Device page shows both information about the device and the activity data observed on the device.
Device information
The header of the Trace page displays information about the device itself, such as:
The hostname.
The IP address.
The OS type.
The type and version of the endpoint agent that monitors the device activity.
The dates when activity data was first and last seen for the device.
The date of the last bootup reported for the device.
Device data views
Device data generally consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. The Device page can show this data in four views:
...
Each of these views is available as a tab near the top of the Device page. Click any of these tabs to toggle between the views.
Device Traces view
The Device Traces view displays the traces within a given time range which implicate the device. The display uses a format similar to the display of the Traces page.
As in the Traces page, the Device Traces view shows the list of traces in a table. There are controls above the table for filtering the traces and refining the display, including grouping and sorting options.
Device Processes view
The Device Processes view displays the processes that were found running on the device within a selected time range.
...
Above the process data are controls for selecting a time range. Rather than blindly selecting an arbitrary time range, these controls use evidence from prior investigations to guide you towards selecting time ranges with interesting data. To learn more about selecting a time range in this view, see the later section, Device Page > Selecting a Time Range.
Device Summary view
The Device Summary view displays statistics for activity that was observed on the device within a selected time range.
Above the statistics data are controls for selecting a time range. Rather than blindly selecting an arbitrary time range, these controls use evidence from prior investigations to guide you towards selecting time ranges with interesting data. To learn more about selecting a time range in this view, see the later section, Device Page > Selecting a Time Range.
Device Raw Events view
The Device Raw Events view displays the activity that was observed on the device within a selected time range. This is the granular data that comprises the statistics you see in the Device Summary view. You can choose to browse the following types of events:
...
Above the results table are controls for selecting a time range. Rather than blindly selecting an arbitrary time range, these controls use evidence from prior investigations to guide you towards selecting time ranges with interesting data. To learn more about selecting a time range in this view, see the next section, Selecting a Time Range.
Selecting a Time Range
Each of the Device data views has controls for selecting a time range. Your time range selection is used to filter the data displayed in the view.
...
The time chart looks for boot records that intersect the time span of the chart. Time intervals for which there is a boot record are shown in the chart as white; time intervals for which no boot record is found are shown as gray. This helps you avoid choosing a 10-minute time window during which the device may have been offline.
The time chart also looks for evidence that occurred during the time span of the chart. If found, the distribution of evidence is plotted on the chart, using color coding based on the severity of the evidence. This helps you choose 10-minute time windows during which interesting activity is more likely to have occurred.
You can also filter the evidence displayed on the time chart. Use the controls above the time chart to filter the evidence based on the risk and status of the traces that generated the evidence, as well as the evidence metadata. This allows you to hone your search for interesting activity more precisely. For example, if you are interested in a particular process, then you can filter the time chart’s evidence by that process, so that you have a clearer view of when that process exhibited interesting behavior. Note that the time chart filters have no effect on the process data below the chart; they only apply to the evidence plotted on the chart.
Search page
Search page allows you to perform ad-hoc searches for processes exhibiting specific behaviors. The search results can then be used to trigger autonomous investigations.
...
Defining a search query
At the top of the Search page is a form for defining your search. To define a search, you must specify atime range and a query expression. You can optionally specify a host (either a hostname or IP address) to target a specific device; otherwise your search is performed across all monitored devices.
The search’s query expression is provided using a simple search query language. Use this query language to target specific behaviors, including file access, registry access, network communications, and combinations thereof. You can find examples of search queries by clicking the help button which pops up a separate window with examples.
...
Query operators
Find below the supported operators of the search query language.
Operator | Details |
&& | And operator for multiple conditions. |
|| | Or operator for multiple conditions. |
!=,NE,ne | Non-equality operator and can be applied for numeric and time fields. |
>,GT,gt | Greater than operator and can be applied for numeric and time fields. |
<=, LE, le | Less than or equal to operator and can be applied for numeric and time fields. |
>=, GE, ge | Greater than or equal to operator and can be applied for numeric and time fields. |
~, CONTAINS, contains, LIKE, like | Equality operator for partial matches and can be applied to string fields. |
BEGINS, begins | Start with an operator for string fields. |
ENDS, ends | Ends with operator for string fields. |
IN, in | Find partial matches across multiple comma separated variables. For example, "HKLM\SYSTEM,HKLM\SOFTWARE". |
Query fields
The tables below list the fields which you can use in your query expressions.
...
Files | Details |
dns.hostname | Hostname looked up by the process. |
dns.raw_event | Raw event of the DNS lookup. |
dns.utc | DNS lookup time by the process in UTC. |
Streaming data
Once you have submitted your search, the search is queued and then executed in the background on the server.
...
When auto-refresh is turned on, the table automatically updates (i.e., possibly replace) partial results as soon as newer results become available. If you do not want partial results to be automatically updated, turn auto-refresh off.
When auto-refresh is turned off, partial results are not updated automatically. Instead, when newer results become available, you are prompted with a message. The table isn’t updated until you click on that message. This allows you to continue browsing partial results without worrying that they might be replaced unexpectedly.
Working with results
The search results are displayed in a table at the bottom of the page. Each record in the table is a process which matches the criteria in your search query. The table displays the following information for each process:
...
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Investigate this Event: Click here to open a popup that allows you to trigger an autonomous investigation based on this process. You are prompted to choose an initial time window around the process in which to investigate suspicious activity. If suspicious activity is detected, the investigation generates a new trace.
...
Hunt page
What is a hunt?
In DeepTrace, a hunt is an intelligent search which looks for suspicious behavior. Hunts can be executed (“run”) once or on a recurring schedule. The results of hunts can be used to start a DeepTrace investigation either automatically or manually. The Hunt page allows you to browse the status and results of these hunts, and to configure custom hunts as well.
Hunts table
The Hunt page loads the list of hunts that are configured in your system and displays the list in a table format.
...
Title of the hunt, plus a brief description based on the hunt’s search type.
MITRE Tactic & technique that the hunt is intended to detect.
Schedule: Whether the hunt is scheduled to recur or only execute once.
Auto-investigate: Whether the hunt is configured to automatically trigger an autonomous investigation on its results (if any).
Sharing: Whether the hunt is available to all DeepTrace users, certain selected users, or only the current user.
Status: Whether the hunt is disabled, enabled or completed.
Author: The DeepTrace user who created the hunt configuration.
Created: Date and time.
Last run: Date and time (if any).
Results: A trend chart showing the total result counts from the last 12 runs of the hunt (if any).
Refining the hunts display
Above the table there are additional controls for refining the table display:
...
Sorting: The hunts table can be sorted by clicking on the following column titles: Enabled/Disabled, Title, Status, Author, Created and Last Run.
Browsing the hunt results
A hunt can be configured to run once or on a recurring schedule. Click on the title of a hunt configuration in the hunts table to browse the results of its runs.
...
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Investigate this Event: Click here to open a popup that allows you to trigger an autonomous investigation based on this process. You are prompted to choose an initial time window around the process in which to investigate suspicious activity. If suspicious activity is detected, the investigation generates a new trace.
Managing Hunts
The Hunt page supports managing hunts, including editing, duplicating and deleting hunt configurations.
...
View Results: Click here to open a panel with the results of the hunt’s runs, if any. This is the same as clicking on the hunt’s title.
Enable/Disable Hunt: Click here to toggle the hunt’s status between enabled and disabled.
Start Hunt: Click here to manually start a run of this hunt now regardless of its schedule.
Settings/Edit Hunt: Opens a popup for editing the hunt’s configuration. Users who have permission to edit the hunt see Edit Hunt; otherwise, this menu option says Settings and the popup only shows the hunt’s configuration as read-only.
Duplicate Hunt: Opens a popup for editing the configuration of a new hunt. The popup is automatically pre-populated with the same configuration settings as the selected hunt. Use the popup to make any changes needed, then click Save to save the configuration for this new duplicate hunt.
Delete Hunt: Deletes the hunt configuration and its run results (if any).
Configuring Hunts
The Hunt page supports the creation of custom hunt configurations and the editing of configurations of your existing hunts.
...
Tags: Set custom tags on your hunt configurations in order to help you stay organized. By convention, it is customary to specify at a minimum the MITRE Tactic & Technique that the hunt is intended to detect.
Notes: Notes is a free-form text area where you may specify whatever additional context is helpful pertaining to the hunt.
Triggers page
The Triggers page allows you to browse the triggers that were investigated by DeepTrace. In DeepTrace, investigations can be triggered by:
...
Click on the ID or title of the trigger to view its details, including the list of traces and implicated devices (if any) which resulted from the investigation.
...
Monitor page
The Monitor page allows you to access the following pages which pertain to the health of the system:
Performance: Shows a pre-configured dashboard of graphs for plotting key hunting and system statistics.
Statistics: Shows the raw real time statistics associated with various micro services. Typically, useful for troubleshooting various functions which may be asked by the supported team.
Health: Shows the general health of the system including key system resources.
Devices: Shows a list of the endpoints currently being monitored.
Administration page
The Administration page allows users with administrator privileges to access various settings pertaining to the configuration and administration of DeepTrace. The page is divided into these sections:
...