...
What permissions do I need to use DeepTrace?
What permissions do you need to use DeepTrace?
To access DeepTrace and use its features in Devo, you need a specific permission, as well as other satellite permissions to access the areas where these features are used:
...
There are two different ways to start sending events and alerts with Devo DeepTrace:
New alert definition
...
You can activate auto-investigation in DeepTrace when creating a new alert definition from the Data search tab. Once the table is open, click the alert icon to create a new alert definition and select Auto-investigate in DeepTrace.
...
| Info |
|---|
Auto-investigate in DeepTrace DeepTrace does not allow grouping tables. When you click on Auto-investigate in DeepTrace the auto-investigation queryopens your query without grouping. Here you can also modify the query that is going to be investigated by DeepTrace. rawMessage field required The rawMessage field must be included in the Auto-Investigation query definition ( |
Data search
...
You can select suspicious events and send them to DeepTrace for investigation by clicking on the Engine tool button → New → Investigate in DeepTrace. You can also drag the DeepTraceicon from the tools to the main bar.
You can select one or more events from the table to send them to DeepTrace, or right click on the event to send it.
...
| Note |
|---|
| Info |
Why can't I see that option? This option is only available when there is no grouping and at least one event is selected in the table. |
Checking investigation status
Once the alert definition is created you can see the status of the alert by clicking on the Alerts or DeepTrace tabs in the navigation pane:.
DeepTrace tab
...
Click DeepTrace in the navigation pane. A new browser window opens showing you the DeepTrace user interface.
...
Alerts tab
...
Click Alerts in the navigation pane. Check theTrace statuscolumn to see the status of your alert. You can also click on the DeepTrace icon that appears in the Action column to open DeepTrace.
...
There are four possible values for the alert auto-investigation status:
...
When clicking on a trace ID or title, the Trace page opens to show you the details of that trace. A trace is the result of an autonomous investigation that detected suspicious activity. The Trace page shows both information about the trace and the data captured by the trace.
Trace information
The header 
The layout of the Trace page is divided into several sections:
Trace header
Trace data filters
Trace time chart
Trace data views
Trace Details
Each of these sections is described in detail below.
Trace header
The header of the Trace page displays information about the trace itself, such as:
the trace ID and title
the start date and end date of the trace (the dates of the first and last events included in the trace)
the number of devices involved in the trace activities
the number of triggers which caused the trace to be generated (click here to view a list of the triggers)
the total count of evidence that was generated by the trace
the trace status
the severity of the trace (derived from the severity of all the evidence included in the trace)
Trace data
...
filters
Trace data generally consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. The Trace page can show this data in four views:
Summary
MITRE
Processes
Timeline
Each of these views is available as a tab near the top of the Trace page. Click any of these tabs to toggle between the views.
Trace Summary view
Click the Summary tab in the Trace page to view a summary of the trace data. Unlike other trace views, the summary view does not show all of the activity and evidence discovered by the trace. Instead, the summary view emphasizes the devices where the riskiest activities were detected.
The dataset for this view is derived by first computing cumulative risk scores for each device in the trace based on the corresponding evidence. Then the dataset is Below the Trace page header are a set of UI controls for filtering the Trace evidence:
Summarize: The Summarize button enables you to apply a smart filter to the evidence with just one click. When Summarize is turned on, only the evidence with the most cumulative weight is shown. The summarized dataset is derived by first computing cumulative risk scores for each device in the trace based on the corresponding evidence. Then the dataset is filtered to highlight the top devices by risk score. In some cases, lower-risk evidence may also be included in order to preserve connections between devices.
The resulting dataset is visualized in three ways:
A time series chart which shows the distribution of evidence found over the duration of the trace. This provides you with insight regarding the trend of the evidence.
A network graph where each graph node is a device and each graph link is a network connection from one device to another. This provides you with insight regarding the topology of the evidence.
A table of evidence which provides you with descriptive text and other details for each piece of evidence, in chronological order.
...
Note that all three components use color coding to indicate the severity of the evidence, ranging from blue (low) to red (high).
Additionally, the summary view supports ad-hoc filtering of evidence:
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters Keyword search: Use the textbox to search the evidence by keyword. Examples of valid keywords include usernames, host names, process names, domains, port numbers and file hashes.
Metadata filters: To filter evidence by metadata, use the metadata dropdowns above the time chart.
...
Each piece of evidence is associated with metadata (e.g., device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections will be applied simultaneously to the time chart, the network graph and the evidence table
...
.
...
To filter the evidence by device, click on a node in the graph. This filters the table to show the evidence for the selected device.
...
Trace time chart
Below the trace filters is a time chart which shows the distribution of evidence found over the duration of the trace. This provides you with insight regarding the trend of the evidence.
To filter the evidence by
...
To filter evidence by metadata, use the metadata dropdowns above the time series chart.
...
Each piece of evidence is associated with metadata (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections are applied simultaneously to the time series chart, the network graph, and the evidence table.
Trace MITRE view
Click the MITRE tab in the Trace page to view the trace evidence mapped onto the MITRE ATT&CK Matrix for Enterprise. The matrix is an industry-standard categorization of adversary tactics and techniques. Across the top of the matrix are the MITRE tactics. Underneath each tactic are the MITRE techniques that correspond to that tactic.
The Trace MITRE view is composed of two components:
A time series chart which shows the distribution of evidence found over the duration of the trace. This provides you with insight regarding the trend of the evidence.
A tactic & technique matrix where each technique that was detected by the trace is shown color coded by the highest severity of the corresponding evidence, along with a badge displaying the evidence count. Techniques for which no evidence was detected are shown as grayed out.
...
Click on Show Detected Techniques Only to see only the techniques for which some evidence was detected. This is a useful way to make the matrix more compact and easier to read.
...
Clicking on an individual technique shows you the corresponding evidence for that technique.
...
As in the other trace data views, the MITRE view supports ad-hoc filtering of evidence:
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the matrix’s evidence by the selected time range.
To filter evidence by metadata, use the metadata dropdowns above the time series chart.
...
Each piece of evidence is associated with metadata (device, domain, process, username, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections is applied simultaneously to the time series chart and the matrix.
Trace Processes view
Click the Processes time, drag your mouse over a slice of the time chart. This will filter the evidence displayed below the time chart in the trace views and Details panel by the selected time range.
...
Trace details
The area below the Trace time chart is divided into two sections:
On the left: Trace data views – visualizations of the trace evidence.
On the right: Trace Details panel – the data from which the visualizations are generated.
The Trace details panel contains 3 tabs:
Evidence tab: Shows the evidence in a simple list format sorted chronologically. Click on any evidence in the list to view additional information for that evidence, such as the process command line.
Processes tab: Use this tab browse the data by process first, then click on any process to view the evidence for that process.
Triggers tab: A list of the triggers that caused this Trace to be generated.
Trace data views
Trace data generally consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. The Trace page can show this data in six views:
Attack Chain
Network
Sequence
MITRE
Processes
Timeline
Each of these views is available as a tab near the top of the Trace page. Click any of these tabs to toggle between the views.
Trace Attack Chain view
Click the “Attack Chain” tab to view the evidence in chronological order along a single linear chain. Attack Chain view provides a concise overview of the evidence in the Trace.
...
Use the buttons near the top-left corner of Attack Chain view to zoom in & out, toggle the evidence descriptions and customize the number of columns in the display. Click the evidence in the Attack Chain view to filter the Details panel by that selected evidence.
Trace Network view
Click the “Network” tab to view a network graph where each graph node is a device and each graph link is a network connection from one device to another. This provides you with insight regarding the topology of the evidence.
...
Note that the Network graph uses color coding to indicate the severity of the evidence, ranging from blue (low) to red (high).
Additionally, the Network view supports ad-hoc filtering of evidence in the Details panel:
To filter the evidence by device, click on a node in the graph. This filters the table to show the evidence for the selected device.
...
To filter the evidence by a network connection, click on a link in the graph.
...
Trace Sequence view
Click the “Sequence” tab in the Trace page to view the trace evidence mapped onto the process trees of the monitored devices involved in the trace.
The processes view identifies the cohort commands and relationship graph executed by the offending user or malware out of the thousands of processes that executed within the device and were associated with the trace. This helps to quickly review the attack’s footprint.
The processes view is comprised of three components:
A time series chart which shows the distribution of evidence found over the duration of the trace. This provides you with insight regarding the trend of the evidence.
A process graph where each graph node is a process implicated in the trace. Arrows point from parent processes to the child processes which they spawned. This provides you with insight regarding dependencies.
A list of evidence which provides you with command lines, descriptive text and other details for each piece of evidence, in chronological order.
...
Note that all three components use color coding to indicate the severity of the evidence, ranging from blue (low) to red (high).
The process graph shows the process tree for a single device at a time. Use the dropdown in the top-left corner of the graph to pick the device that you wish to view the process tree for.
...
The process graph visualizes the process tree as a set of nodes in a hierarchical layout. Processes are shown as rectangular nodes. For additional context, network connections are also included in the graph; the connection targets are shown as round nodes. Arrows connect parent processes to the child processes they have spawned and/or the network targets they have initiated connections to.
...
The process tree can include additional nodes in order to provide context or to preserve the integrity of the graph. These processes might not have any corresponding evidence and are shown as grayed out.
Use the buttons in the top-right corner of the process graph to manipulate the graph display:
Button | Icon | Description |
Show Vertical Layout |  | Toggles the graph orientation from horizontal to vertical. |
Show Network Connections Only |  | When turned on, only the processes which were involved in network connections will be highlighted. Other processes are grayed out. |
Show Cross Process Activity Only |  | When turned on, only the processes which were involved in cross process activity (either as the initiator or the target) are highlighted. Other processes will be grayed out. |
Show Condensed Layout |  | This option is a useful way to make the graph more compact and easier to understand at a high level. When turned on, sibling graph nodes are merged together if either: (a) they are processes which share the same process filename; or (b) they are network connection targets which share the same hostname or domain; or (c) they are network connection targets which share the first 3 octets of their IPv4 addresses. |
As in the other trace views, the processes view supports ad-hoc filtering of evidence:
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the process graph and the evidence list by the selected time range. Note that graph nodes become grayed out once they are filtered out; they are not removed from the graph in order to preserve the graph’s hierarchical integrity.
To filter the evidence by a specific process, click on a process node in the process graph. This filters the list to show the evidence for the selected process. If you click on a process which is not associated with any evidence, then no evidence will be shown in the list but you can still view process details, such as the command line, process ID and other properties.
To filter the evidence by metadata, use the metadata dropdowns above the time series chart.
...
Each piece of evidence is associated with metadata (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections are applied simultaneously to the time series chart, the process graph, and the evidence list. Similar to filtering by time, when graph nodes are filtered out by metadata they become grayed out; they are not removed from the graph in order to preserve the graph’s hierarchical integrity.
Trace Timeline view
Click the Timeline tab in the Trace page to view all the trace evidence in a single chronological linear display.
Unlike the summary view which only shows some of the trace evidence, the timeline view allows you to browse all the evidence generated by the trace. Unlike the processes view which only shows data for one device at a time, the timeline view shows the evidence across all the monitored devices implicated in the trace in a single view.
The timeline view is comprised of two components:
A time series chart which shows the distribution of evidence found over the duration of the trace. This provides you with insight regarding the trend of the evidence.
A list of evidence which provides you with command lines, descriptive text and other details for each piece of evidence, in chronological order.
...
The evidence list is shown in a vertical linear layout. The evidence is grouped by process as a sequence diagram. In Sequence view, the evidence is laid out chronologically across multiple columns, one column per each device where evidence was found. Evidence of a network connection is rendered on an arrow stretching from the column of the source device to the column of the target device. As a result, Sequence view tends to draw more attention to network connections, making it a suitable view for observing lateral movement. Network view also emphasizes network connections; however, Network view does not indicate chronology. In contrast, Sequence view has both a time axis (vertical) and a spatial axis (horizontal).
...
Use the buttons near the top-left corner of Sequence view to zoom in & out and toggle the evidence descriptions in the display. Click the evidence in the Sequence view to filter the Details panel by that selected evidence.
Trace MITRE view
Click the MITRE tab in the Trace page to view the trace evidence mapped onto the MITRE ATT&CK Matrix for Enterprise. The matrix is an industry-standard categorization of adversary tactics and techniques. Across the top of the matrix are the MITRE tactics. Underneath each tactic are the MITRE techniques that correspond to that tactic.
The Trace MITRE view is composed of a tactic & technique matrix where each technique that was detected by the trace is shown color coded by the highest severity of the corresponding evidence, along with a badge displaying the evidence count. Techniques for which no evidence was detected are shown as grayed out.
...
Click on Show Detected Techniques Only to see only the techniques for which some evidence was detected. This is a useful way to make the matrix more compact and easier to read.
...
Trace Processes view
Click the Processes tab in the Trace page to view the trace evidence mapped onto the process trees of the monitored devices involved in the trace.
The processes view identifies the cohort commands and relationship graph executed by the offending user or malware out of the thousands of processes that executed within the device and were associated with the trace. This helps to quickly review the attack’s footprint. Each graph node is a process implicated in the trace. Arrows point from parent processes to the child processes which they spawned. This provides you with insight regarding dependencies.
...
Note that the process graph uses color coding to indicate the severity of the evidence, ranging from blue (low) to red (high).
The process graph shows the process tree for a single device at a time. Use the dropdown in the top-left corner of the graph to pick the device that you wish to view the process tree for.
...
The process graph visualizes the process tree as a set of nodes in a hierarchical layout. Processes are shown as rectangular nodes. For additional context, network connections are also included in the graph; the connection targets are shown as round nodes. Arrows connect parent processes to the child processes they have spawned and/or the network targets they have initiated connections to.
...
The process tree can include additional nodes in order to provide context or to preserve the integrity of the graph. These processes might not have any corresponding evidence and are shown as grayed out.
Use the buttons in the top-right corner of the process graph to manipulate the graph display:
Button | Icon | Description |
Show Vertical Layout | | Toggles the graph orientation from horizontal to vertical. |
Show Network Connections Only | | When turned on, only the processes which were involved in network connections will be highlighted. Other processes are grayed out. |
Show Cross Process Activity Only | | When turned on, only the processes which were involved in cross process activity (either as the initiator or the target) are highlighted. Other processes will be grayed out. |
Show Condensed Layout | | This option is a useful way to make the graph more compact and easier to understand at a high level. When turned on, sibling graph nodes are merged together if either: (a) they are processes which share the same process filename; or (b) they are network connection targets which share the same hostname or domain; or (c) they are network connection targets which share the first 3 octets of their IPv4 addresses. |
As in the other trace views, the processes view supports ad-hoc filtering of evidence in the Details panel. To filter the evidence by a specific process, click on a process node in the process graph. This will filter the list to show the evidence for the selected process. If you click on a process which is not associated with any evidence, then no evidence will be shown in the list but you can still view process details, such as the command line, process ID and other properties.
Trace Timeline view
Click the Timeline tab in the Trace page to view all the trace evidence in a single chronological linear display.
...
The evidence list is shown in a table layout and ordered chronologically. For each process that generated evidence, the display shows the following information:
...
To conserve space, additional process information is not shown initially but can be revealed by expanding the process’s display. Clicking the arrow to the left of the process filename to expand that process’s display and reveal:
The local username used to execute the process.
The full path of the process file.
Hashes (MD5, SHA-1, SHA-256) of the process executable.
Any additional evidence generated for that process by this trace, in chronological order.
You can click individual arrows to expand/collapse processes one at a time, or click the Expand All button to expand/collapse all the processes simultaneously.
To the right of each process’s command line is an ellipsis button. Click the ellipsis button to find menu options pertaining to the process:
...
The process menu options include:
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
...
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Whitelist: Click here to open a popup that allows you to add this process to DeepTrace’s whitelist. You will be given the choice to whitelist either the process name, full path, or command line. Whitelisted items no longer generate evidence in future autonomous investigations.
...
Additionally, the timeline view supports ad-hoc filtering of evidence:
To filter the evidence by time, drag your mouse over a slice of the time series chart. This filters the evidence list by the selected time range.
To filter the evidence by metadata, use the metadata dropdowns above the time series chart.
Each piece of evidence is associated with metadata (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections are applied simultaneously to the time series chart and the evidence list.
The timeline view also supports suppressing evidence. :
The local username used to execute the process.
The full path of the process file.
Hashes (MD5, SHA-1, SHA-256) of the process executable.
You can click individual arrows to expand/collapse processes one at a time, or click the Expand All button to expand/collapse all the processes simultaneously.
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
...
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Whitelist: Click here to open a popup that allows you to add this process to DeepTrace’s whitelist. You will be given the choice to whitelist either the process name, full path, or command line. Whitelisted items no longer generate evidence in future autonomous investigations.
...
Ignore Evidence: Unlike ad-hoc filtering which simply shows/hides evidence from the current display, suppressing evidence is a persistent action. Once a piece of evidence is suppressed, it is no longer included in subsequent viewings of the trace.
To suppress a specific piece of evidence:
Click on the ellipsis button beside the evidence’s text in the timeline display. Clicking the ellipsis button opens a menu as shown below.
...
Alternatively, you might , suppressing evidence is a persistent action. Once a piece of evidence is suppressed, it will no longer be included in subsequent viewings of the trace.
Take Action: You may wish to perform some other action in response to the evidence in the trace, such as conducting lookups on the discovered hashes, IPs and domains. Timeline view DeepTrace supports a set of such actions (configurable by admins).
To perform an action in response to a specific piece of evidence:
...
).
...
Click the Take Action
...
button. This
...
will open a popup with a list of response actions configured by your DeepTrace admin.
...
...
You may choose an action from the Actions list, input whatever parameters are required by the action, then click Take Action to invoke the action and await its results.
Devices page
The Devices page shows a list of devices that are implicated in traces within a selected time range.
...