Devo DeepTrace
Overview
Devo DeepTrace is an autonomous alert investigation and threat-hunting capability of the Devo Platform. It allows you to perform full investigations on alerts or suspicious events. DeepTrace attack-tracing AI pieces together the activity of malicious users or external actors enabling you to quickly analyze and report results in the form of traces - artifacts that fully and chronologically document each attack chain.
Requirements
This is not an out-of the box feature. If you want to start using DeepTrace, please visit Devo support site.
How can DeepTrace help you?
Devo DeepTrace helps security teams autonomously investigate alerts and suspicious events and perform threat hunting via:
Fully documented attack chains that speed investigations: Utilising attack tracing. Building traces, which fully and chronologically document each attack chain.
An AI engine that augments analysts: Providing analysts with context and points of reference detailing the attacker’s path through an organisation’s infrastructure by asking potentially hundreds of thousands of questions. It emulates how SOC (Security Operations System) analysts investigate alerts, incidents, and suspicious behaviours.
Autonomous investigations that accelerate context-based decision-making: Autonomously traverses historical data to document an adversary’s behaviour from start to finish of an attack, providing the facts analysts need to take effective action.
Autonomous threat hunting to up-skill analysts: Helps threat hunters quickly construct and configure new hunts that map to MITRE ATT&CK framework tactics and techniques. Once refined and validated, these can be converted to new cadence-based threat detections.
What permissions do you need to use DeepTrace?
To access DeepTrace and use its features in Devo, you need a specific permission, as well as other satellite permissions to access the areas where these features are used:
Feature enabler: the DeepTrace features permission is required to enable all the options and menus throughout the platform.
Auto-investigate in DeepTrace: the Finders permissions is required to open a search and the Alert configuration permission is required to define a new alert, which is where auto-investigations are configured.
Trace status: the Triggered alerts permission is required to access the alerts history area, which is where traces are displayed and monitored.
What will you find in DeepTrace?
DeepTrace opens showing you a dashboard with the following sections:
More information
If you want to know more about the possibilities with Devo DeepTrace, visit Devo support site.
DeepTrace in Devo Platform
Devo DeepTrace allows EDR (Endpoint Detection and Response) and other data to be brought into DeepTrace instance. The combined deployment will be configured to enable alerts and EDR data investigations using DeepTrace. Devo customers that have activated it in their domain, will have an additional tab in their navigation pane named DeepTrace.
There are two different ways to start sending events and alerts with Devo DeepTrace:
Once the alert definition is created you can see the status of the alert by clicking on the Alert tab or DeepTrace tab in the navigation pane.
Devo Connect
Learn more about DeepTrace in the the related articles: