Versions Compared

Old Version 4

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
typeflat

...

Overview

The Entity Analysis provides the analyst with a set of metrics for investigation: the number of Behavior Alerts, the number of SecOps Alerts, the number of Total Alerts, the Most Critical Alerts, and Related Entities.

The MITRE tactics and MITRE technique widgets help you to better understand the entity’s progression towards its increased risk. The MITRE tactics page display the tactics associated with the SecOps or Behavioral Alerts, while the MITRE techniques page display the techniques associated with the alerts. Use these pages to see how the entity has progressed in the ATT&CK framework and craft an attacker story. 

A timeline view of the entity’s risk score is also displayed. In our example further down, Pablo Reyes performed some actions on February 23rd that set off alerts that significantly increased her risk score. 

  • Visualization of Entity Risk Score over time: 

...

  • Visualization of Entity MITRE ATT&CK Tactics over time: 

...

  • Visualization of Entity MITRE ATT&CK Techniques by risk:  

...

Investigation

Since Tina Frederick was identified as the highest risk entity in the Entity Dashboard, we double down into her entity page to further investigate the root cause of the entity’s high risk score. To begin investigating Tina, first choose the time range you would like to see at the very top of the page (we have chosen a 7-day time frame). The time range is reflected in the entity’s timeline and alert histories displayed. 

The MITRE tactic graph displayed above displays time on the X axis and the specific MITRE tactic on the Y axis. The bubbles in the graph display the amount of times that the tactic showed up for the specific time frame. For instance, in the example above, persistence was a frequently shown tactic on February 23rd. 

The MITRE technique page is color coded based on the risk score of the individual techniques. There is a table of contents that displays what each of the colors mean, with blue being the most benign and red being the most malicious. 

Alerts History

The Alerts History section of the page allows the user to see the original SecOps and Behavioral Alerts alerts that were triggered. The alerts are, by default, sorted by ascending order of alerts by time. Users can sort the alerts by several categories, including priority, risk score, and category. Once you access an entity, you can find a summary with the the most relevant metrics: Risk Score (Last 7d), Risk Group, number of Alerts & Signals (broken down by criticality, as well as by type -Behavior, SecOps, Risk Based), number of Behavior Signals, and Associated Entities. You can also find a chart with the Risk Score over time.

...

Clicking the arrow beside the Associated Entities will open a panel on the right, which shows them as a list that can be filtered and interacted with to access other entities.

...

Visualization

At the top left of the bottom area, there’s an expandable menu to select the desired visualization mode.

...

Timeline view

The timeline view displays triggered alerts sorted by time, showing the most recent first. Users can filter alerts by several categories, including name, risk level, category, tactic, and technique. To further investigate the alert, users can click on toggle at the very right of the alert name to query the alert inside their Query App. 

...

...

Info provided in…

Description

FieldsRows

  • Time:

The

  • the time frame when the

alert The name of the alert.

  • alerts happened.

Name

  • Number of alerts per type: the total number of alerts triggered for each type.

Left column

  • Alert name: SecOps alerts will have the SecOps alert title, otherwise behavior alerts will be titled by their model name.

 

Priority

This is the priority of the alert.

Category

Whether

  •  Alert category: below the alert name, it is shown whether the alert is a SecOps, Risk-based, or Behavior Alert.

Tactic or Technique

The Mitre Tactics or Techniques that are associated with the alert. 

Related entities

Other entities that are associated with the particular alert. 

...

  • Times triggered: the number of times the alert has been triggered, indicated by a balloon next to the name.

Middle column

  • Priority: the priority level of the alert color-coded accordingly (Informational-grey, Medium-yellow, High-orange, Critical-red).

  • Risk score: the numerical risk score the alert reached.

Right column

  • Times triggered: the number of times each alert has been triggered (and the total at the top).

Within the Timeline you can expand each alert to drill down and get more details about the alert definition and associated context gathered when the alert triggered. The alert can be expanded accessed to quickly show the description of what the alert is detecting, its LINQ query, and the associated data that contains other valuable context. If you want to drill down further into the alert you can click on the magnifying glass button to pivot into Devo’s data search window to view the raw events that triggered the alert.

Search for entities

There is an Entity Search box at the top of every page. Simply type a few characters and entities with be shown in a list below as you type. Clicking an entity name in the results will navigate to the Entity Details page for that entity.

...

Mitre view

The MITRE view helps you to better understand the entity’s progression towards its increased risk. It overlays the entity’s alerts over the MITRE matrix, with the tactics and techniques related to the triggered alerts. Use this view to see how the entity has progressed in the ATT&CK framework and craft an attacker story.

...

Techniques will be highlighted and color-coded according to the triggered alerts related to each of them. Clicking on a detected technique will open a side panel to provide info about the subset of alerts matching that technique.

To help you navigate the matrix, you have a checkbox at the top right to filter out undetected tactics and techniques. At the top left, you have zoom buttons for a more user-friendly interaction.

Associations view

The Associations view displays the set of associated entities in a node-link graph. Each node represents an entity. Each link between entities indicates that the pair of entities were both involved in the same alert or signal.

...

Hovering over an entity reveals two buttons:

  • Load Connections (“+”): click this button to search for more entities associated with the entity in question. If any are found, those entities will be added to the graph. 

  • Go To Entity Analysis (“>”): click this button to navigate the details page for the entity in question.

...

At the bottom left of the Associations view, there is a blue box with the count of entities included in the graph. Clicking it reveals a side panel listing them in a table format. From this table, you can customize the graph by checking the boxes of the entities you want to show (maximum of 500).

...

Investigation

Since an entity was identified as the highest risk entity in the Entity Dashboard, we double down into her entity page to further investigate the root cause of the entity’s high risk score. To begin investigating, first choose the time range you would like to see at the very top of the page (we have chosen a 7-day time frame). The time range is reflected in all the views.

You can use the Timeline view to portray a chronological framework for the entity and its alerts. You can use the MITRE view to contextualize the entity and its alerts within the MITRE framework to identify its characteristics. You can use the Associations view to identify how far the entity can expand by proximity with other entities.