...
What permissions do I need to use DeepTrace?
To grant specific Devo users permission to use DeepTrace, you need to manage roles in the Administration → Roles area of the navigation pane if you have the Manage version of the roles permission. If you only have the View version, you can access this area but you cannot modify anything.
...
In this area, you can create custom roles with a custom set of permissions to control the specific actions certain users can perform or the specific applications, activeboards, alerts, and lookups they can access in each domain.
What permissions do you need to use DeepTrace?
To access DeepTrace and use its features in Devo, you need a specific permission, as well as other satellite permissions to access the areas where these features are used:
Feature enabler: the DeepTrace features permission is required to enable all the options and menus throughout the platform.
Auto-investigate in DeepTrace: the Finders permissions is required to open a search and the Alert configuration permission is required to define a new alert, which is where auto-investigations are configured.
Trace status: the Triggered alerts permission is required to access the alerts history area, which is where traces are displayed and monitored.
...
DeepTrace in the Devo platform
...
There are four possible values for the alert auto-investigation status:
Status | Details |
No Trace | The investigation did not detect any threats. |
Trace Found | The investigation detected suspicious activity that needs your attention. |
Waiting | The investigation is in progress. |
Error | An error occurred which prevented the investigation from proceeding. |
DeepTrace user interface
The DeepTrace user interface enables security analysts to view the results of traces and hunts. Users can also configure new hunts, conduct ad-hoc searches, and trigger new investigations.
...
The navigation panel contains the following set of links to pages of the DeepTrace user interface:
Link | Icon | Details |
Dashboard | Provides a general overview of:
| |
Traces | Displays the traces that depict suspicious activities or attacks in a searchable table format. | |
Devices | Shows a list of the devices implicated in the traces with the highest risk scores. | |
Search | Enables users to conduct ad-hoc searches for processes exhibiting suspicious behavior and hence to trigger investigations as a result. | |
Hunt | Enables users to browse the results of hunts that map to MITRE ATT&CK framework tactics and techniques. It also enables users to configure new hunts. Once refined and validated, these can be converted to new cadence-based threat detections. | |
Triggers | Shows the triggers that started autonomous investigations. | |
Monitor | Enables users to view Performance data, Statistics, Health data, and the list of monitored devices. | |
Administration | Enables users to manage DeepTrace configuration settings, such as wh itelists and data adapters. | |
Log out | Logs the current user out. |
Traces page
Traces are artifacts that fully chronologically document each attack chain. Traces are generated by the autonomous investigations that detect suspicious activity. A trace’s data consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities.
...
Use the buttons in the top-right corner of the process graph to manipulate the graph display:
Button | Icon | Description |
Show Vertical Layout | Toggles the graph orientation from horizontal to vertical. | |
Show Network Connections Only | When turned on, only the processes which were involved in network connections will be highlighted. Other processes are grayed out. | |
Show Cross Process Activity Only | When turned on, only the processes which were involved in cross process activity (either as the initiator or the target) are highlighted. Other processes will be grayed out. | |
Show Condensed Layout | This option is a useful way to make the graph more compact and easier to understand at a high level. When turned on, sibling graph nodes are merged together if either: (a) they are processes which share the same process filename; or (b) they are network connection targets which share the same hostname or domain; or (c) they are network connection targets which share the first 3 octets of their IPv4 addresses. |
As in the other trace views, the processes view supports ad-hoc filtering of evidence:
...
Find below the supported operators of the search query language.
Operator | Details |
&& | And operator for multiple conditions. |
|| | Or operator for multiple conditions. |
!=,NE,ne | Non-equality operator and can be applied for numeric and time fields. |
>,GT,gt | Greater than operator and can be applied for numeric and time fields. |
<=, LE, le | Less than or equal to operator and can be applied for numeric and time fields. |
>=, GE, ge | Greater than or equal to operator and can be applied for numeric and time fields. |
~, CONTAINS, contains, LIKE, like | Equality operator for partial matches and can be applied to string fields. |
BEGINS, begins | Start with an operator for string fields. |
ENDS, ends | Ends with operator for string fields. |
IN, in | Find partial matches across multiple comma separated variables. For example, "HKLM\SYSTEM,HKLM\SOFTWARE". |
Query fields
The tables below list the fields which you can use in your query expressions.
Process fields: Use these fields to qualify a process based upon its properties.
Field | Description |
process.filename | Filename of the process. |
process.pid | Process identifier of the parent process. |
process.command | Command line for the process. |
process.image | Process path for the process. |
process.username | Name of the user creating the process. |
process.utc | Start time of a process in UTC. |
process.exit_utc | Exit time of a process in UTC. |
process.raw_event | Raw event of the process creation. |
process.child_count | Number of direct children of the process. |
process.md5 | MD5 hash of the process. |
process.sha256 | SHA256 hash of the process. |
Parent process fields: Use these fields to qualify a process based upon the parent process which spawned it.
Field | Description |
parent_process.filename | Filename of the parent process. |
parent_process.pid | Process identifier of the parent process. |
parent_process.ppid | Process identifier of the parent process. |
parent_process.command | Command line for the parent process. |
parent_process.image | Process path for the parent process. |
parent_process.username | Name of the user creating the parent process. |
parent_process.utc | Start time of the parent process in UTC. |
parent_process.exit_utc | Exit time of the parent process in UTC. |
parent_process.raw_event | Raw event of the parent process creation. |
parent_process.md5 | MD5 hash of the parent process. |
parent_process.sha1 | SHA1 hash of the parent process. |
parent_process.sha256 | SHA256 hash of the parent process. |
Library fields: Use these fields to qualify a process based upon the libraries that it loaded.
Field | Description |
library.filename | File name of the library loaded by a process. |
library.file_path | File path of the library loaded by a process. |
library.utc | Start time of the library loaded by the process in UTC. |
library.raw_event | Raw event of the library load. |
library.md5 | MD5 hash of the library. |
library.sha1 | SHA1 hash of the library. |
library.sha256 | SHA256 hash of the library. |
Action fields: Use these fields to qualify a process based upon an action that it took (i.e., a file action or registry action).
Field | Description |
action.count | Number of file or registry or file action. |
action.type | Type of the file action. Options include file or registry. |
action.target | Target field of a given action. Can include registry field or filename or process for cross-proc activities. |
action.raw_event | Raw event of the action. |
action.utc | Execution time of the file/registry by the process in UTC. |
Network fields: Use these fields to qualify a process based upon the network connections that it is associated with.
Files | Details |
network.count | Number of network connections associated with a process. |
network.src_ip | Source IP of the network connection. |
network.src_port | Source port of the network connection. |
network.dst_ip | Destination IP of a network connection. |
network.dst_port | Destination port of a network connection. |
network.initiated | Indicates whether the connection was initiated (1) or terminated (0) by the process. |
network.protocol | Protocol used for the network connection. |
network.utc | Network connection time by the process in UTC. |
DNS fields: Use these fields to qualify a process based upon DNS lookups that it performed.
Files | Details |
dns.hostname | Hostname looked up by the process. |
dns.raw_event | Raw event of the DNS lookup. |
dns.utc | DNS lookup time by the process in UTC. |
Streaming data
Once you have submitted your search, the search is queued and then executed in the background on the server.
...
The contents of each section are listed below. Note that some content is only available when DeepTrace is deployed in Standalone mode rather than integrated with a Devo deployment.
Section | Contents |
Device Management |
|
Download Events Forwarded Installer |
|
Analysis |
|
System |
|