Triaging alerts

10_Triaging alertsAlerts that match the criteria of the filters applied will appear at the top of the Triage area after clicking the Filter button.

After filtering alerts, users can perform the following actions:

1 Run an investigation from a filter
2 Check the details of a group of alerts
3 Increase the sighting count of an entity
4 Check the details of an entity

Run an investigation from a filter

After applying a filter in the Triage area, you can create an investigation based on a group of suspicious alerts by clicking the Add to investigation button that appears at the top right corner of each group. All the alerts added to an investigation in this way will be stored in the Investigation list, which you can access by clicking the paper clip icon at the top right of the application.

Note that the investigation will not be created until you click the paper clip icon, select the required elements, and define the required investigation. Learn more about this in the Investigations section.

Check the details of a group of alerts

After filtering alerts in the Triage area, you can get both individual alerts or groups of alerts that share entities, which are grouped to make the analysis easier. In the case of groups, you can see the number of alerts in the group by checking the number in the lightning icon next to each group.

To obtain more details about the alerts in each group, click the name of the group in the Description column. You will access a window that shows a description in the top area, and 2 different areas: Timeline (the view that appears by default) and Associations (which you can access by clicking the button at the top right corner).

Alert states

When opening an alert in the Triage area clicking its Description name, we are actually opening a group of alerts (of course it could be only one alert in the group). These alerts are grouped by entities and by alert states. This state is UNREAD by default and it changes to WATCHED when we select one alert of the group.

It is important the difference between the state of the group and the state of each alert. If any of the alerts in a group are in UNREAD state, the group is also UNREAD. We can change the state of all the alerts of a group using the selector at the top right corner.

The top part of this area shows the entities related to the group of alerts, the type of alert (in the example above is Analytics), the name of the alert (in the example, Platform access), the table where the alert is defined, the corresponding MITRE techniques and tactics, the message and the description.

Next to the list of related entities, you have the Add to investigation button that you can use to add this group of alerts to a new or existing investigation.

You can also open the LINQ code of the alert by clicking this icon

Click Run query at the bottom of the window to access the Hunting area. Check the Open in a new tab option to open the query in a new browser tab.

This section contains three different areas:

(1) The timeline itself, which shows the evolution of the alerts during the time period indicated in the selector at the top right part of the area. Click the refresh button next to it to update the timeline. Also, you can check the Related checkbox to see other alerts related to these entities.
(2) The Alerts Triggered area, which shows a list of individual alerts triggered during the period selected in the timeline. Click on the alert to see the alert description at the right part. Use the buttons at the bottom to choose the number of alerts to show and navigate through the different pages. You can perform the following actions on each alert:

(3) The individual description of the alert, which shows the name of the alert, its criticality, date when it was triggered, message and description, entities involved, and alert state (unread, false positive, new, etc). You can also check the extra data the alert contains.

You can find the Associations section in both alerts and investigations. Associations are related to entities, which are a basic concept in the Security Operations application. There's a background process in charge of getting all the IP addresses, hostnames, URLs, and so forth from the available sources (those are the entities) and adding them to a multi-model database. When a new entity is found, it won't have any association with other ones. However, when it is found again in the same source or in a different one, the system will start defining the relationships in the database. These relationships between entities can be checked in this area.

The processes that take this information are called context flows, and they are constantly executing queries against the union tables and also against the base tables. The configuration of these flows is performed by Devo security experts when first installing the Security Operation app on a new domain. Note that the initial entities loading process from the origin tables to the entities database will take some time, and this info will be updated as new data arrives at the tables.

Entities are divided into 2 different types, and each of them has 4 different types: System (hostname, IP, location and URL) and User (name, email, domain and account). Entities have a relatively short TTL (time to live): one week in case of User-type entities and 24 hours in case of System-type ones. After this period, entities are deleted from the database and won't be available in the application. However, if you access an entity, its TTL will be extended for another 24 hours or week, depending on the type.

When you click the Associations button in the alerts group description, you will find the associations that correspond to one of the entities with default values.

The graph in this area shows entities as nodes, and the relationships between them are represented with arrows. The nodes in the graph have different sizes depending on the impact. Hover over a node to see the following information:

firstSeen	Date when the entity was first identified.
Impact	Magnitude value of the entity (1-100)
degree	The number of connections from nodes related to the entity, both incoming and outcoming.
ttl	Time until the entity is invalid beginning from first seen, and aging by last seen (time to live)
lastSeen	Last time the entity was detected.
Type	The type of the entity (system or user)

There is a default query when you open the tab, and you can change the settings in the left section. These are the available visualization options of the graph, divided into two different tabs (Query filters and Graph visualization):

Query filters
Relationships	Choose to display Incoming or Outgoing associations or both.
Limit	Set the number of nodes you want to show.
Depth	Indicate the number of jumps.
Impact	Filter by impact, applying the operations to get the required results. The impact is a value calculated for each entity at the moment it is stored in the entities database. It is based on an algorithm plus a combination with the number of connections an entity has. The values are from 1 to 100, when 100 is the highest impact and 1 the lowest. High impact is something to take into account and makes the entity behavior more critical. The nodes in the graph are bigger when the impact is higher.
Entities	Choose an entity type (system or user) and property (from the available ones), then enter a specific value in the text field to filter by and click the Add button. Keep adding the required values to apply all the specified filters by repeating this process.
Query to trigger	Check the query that will be triggered to represent the graph.

Graph visualization
Clustering	Organize the nodes in your graph according to their Impact or PCR (Producer-Consumer Ratio). Check the corresponding toggles to apply the required organization method.
Shortest Path	Enter a source and a target entity in the From and To fields and click the Search button to highlight the shortest path between those elements in the graph. You can also indicate the source and target nodes by clicking them in the graph. You will find additional info about the highlighted path in the Path Info area.

Nodes that show a + icon have incoming or outcoming relationships that are hidden by default. You can show the node relationships by right-clicking the + icon, then selecting Expand Incoming or Expand Outgoing. Note that user-type entities have only outgoing relationships.

Under the graph, you can see a timeline where you can check the history of one or several entities. Use the keys under the timeline to navigate through it and see the evolution in the graph.

Increase the sighting count of an entity

The sighting count of an entity indicates the number of times that a specific entity has appeared in an investigation. This count can be manually increased by a user after filtering alerts. To do it, click the ? symbol next to the required entity in the top part of an alerts group. You will see a window that displays the number of times that entity has appeared in an investigation, as well as the first and last time it appeared. Click Submit to sighting now to increase the count by 1.

Note that this action cannot be undone.

Check the details of an entity

As shown above, each group of filtered alerts includes all the related entities on the top of the group. You can click the icon next to each entity to analyze its details.

Check the description of all the sections on this view in the table below. The numbers in the picture correspond to the sections in the table.

(1) Basic information	Basic information about the selected entity. The icon represents the entity type. You can also check the impact level of the entity and information about the in and out bytes of the entity. In some cases, the selected entity may have some similar entities that will also appear here, so you can navigate through them by clicking the required one.
(2) Related alerts and investigations	Here you can check the number of alerts and investigations that include this entity and the number of enrichments added to it, either in the Investigation list or the Investigation area. Click the enrichments count to display a series of graphs related to the enrichments related to the entity. See the section below for more information.
(3) General details	General details of the entity, as well as the dates the entity was first and last seen. The information displayed in this area varies according to the entity type.
(4) Impact and bytes in/out	A graph that shows the evolution of the entity's impact and its in and out bytes through time. You can hide elements by clicking them on the legend under the graph. This section does not appear in user-type entities.
(5) List of related alerts	List of all the alerts that include the selected entity.
(6) Related entities	This graph represents all the entities related to the one you selected.
(7) List of related investigations	List of all the investigations that include the selected entity. Click an investigation name to access its details.

If you click the enrichments count at the top of this area, you will display some extra graphs related to the enrichments linked to the selected entity:

(1) List of enrichments	A list that shows all the enrichments related to the selected entity.
(2) Enrichments timeline	A timeline that represents all the enrichments of the entity through time.
(3) Machine learning evaluation enrichments	A couple of machine learning evaluations that show the security level of the entity and a client/server evaluation.