Document toolboxDocument toolbox

Devo DeepTrace

Overview

Devo DeepTrace is an autonomous alert investigation and threat-hunting capability of the Devo Platform. It allows you to perform full investigations on alerts or suspicious events. DeepTrace attack-tracing AI pieces together the activity of malicious users or external actors enabling you to quickly analyze and report results in the form of traces - artifacts that fully and chronologically document each attack chain.

Requirements

This is not an out-of the box feature. If you want to start using DeepTrace, please visit Devo support site.

How can DeepTrace help you?

Devo DeepTrace helps security teams autonomously investigate alerts and suspicious events and perform threat hunting via:

  • Fully documented attack chains that speed investigations: Utilising attack tracing. Building traces, which fully and chronologically document each attack chain.

  • An AI engine that augments analysts:  Providing analysts with context and points of reference detailing the attacker’s path through an organisation’s infrastructure by asking potentially hundreds of thousands of questions. It emulates how SOC (Security Operations System) analysts investigate alerts, incidents, and suspicious behaviours.

  • Autonomous investigations that accelerate context-based decision-making: Autonomously traverses historical data to document an adversary’s behaviour from start to finish of an attack, providing the facts analysts need to take effective action.

  • Autonomous threat hunting to up-skill analysts: Helps threat hunters quickly construct and configure new hunts that map to MITRE ATT&CK framework tactics and techniques. Once refined and validated, these can be converted to new cadence-based threat detections.

What permissions do you need to use DeepTrace?

To access DeepTrace and use its features in Devo, you need a specific permission, as well as other satellite permissions to access the areas where these features are used:

  • Feature enabler: the DeepTrace features permission is required to enable all the options and menus throughout the platform.

  • Auto-investigate in DeepTrace: the Finders permissions is required to open a search and the Alert configuration permission is required to define a new alert, which is where auto-investigations are configured.

  • Trace status: the Triggered alerts permission is required to access the alerts history area, which is where traces are displayed and monitored.

What will you find in DeepTrace?

DeepTrace opens showing you a dashboard with the following sections:

Section

Icon

Detail

Section

Icon

Detail

Dashboard

 

Main dashboard provides a general overview of:

  • Traces

  • Devices

  • Triggers

  • Leads

Traces

 

Traces page shows all the traces generated by Devo that depict suspicious activities, attacks and campaigns prioritized in order.

Devices

Risky devices page shows a list of devices that were implicated in traces with additional details.

Search

 

Smart search page allows you to search for processes exhibiting suspicious behaviour to trigger investigations.

Hunt

 

Hunt page allows you to manage hunt for suspicious behaviour, processes, network, actions, etc. to trigger investigations.

Triggers

 

Trigger page provides all triggers for hunting whether it was triggered from Hunt configuration or by configured external alerts.

Settings

 

Settings menu allows you to access various system, administration and monitoring settings.

Log out

 

Logs out the current user.

More information

If you want to know more about the possibilities with Devo DeepTrace, visit Devo support site.

DeepTrace in Devo Platform

Devo DeepTrace allows EDR (Endpoint Detection and Response) and other data to be brought into DeepTrace instance. The combined deployment will be configured to enable alerts and EDR data investigations using DeepTrace. Devo customers that have activated it in their domain, will have an additional tab in their navigation pane named DeepTrace.

There are two different ways to start sending events and alerts with Devo DeepTrace:

Once the alert definition is created you can see the status of the alert by clicking on the Alert tab or DeepTrace tab in the navigation pane.