Devo DeepTrace user guide
- Former user (Deleted)
- Borja Moro Moreno (Unlicensed)
Introduction
Devo DeepTrace performs autonomous alert investigations and threat hunting using attack-tracing AI, advancing how security teams easily identify and rapidly investigate threats and secure the organization. Devo DeepTrace helps security teams autonomously investigate alerts and suspicious events and perform threat hunting via:
Fully documented attack chains that speed investigations: Building attack traces, which fully and chronologically document each attack chain.
An AI engine that augments analysts: Providing analysts with context and points of reference detailing the attacker’s path through an organization’s infrastructure by asking potentially hundreds of thousands of questions. The AI engine emulates how SOC (Security Operations Center) analysts investigate alerts, incidents, and suspicious behaviors.
Autonomous investigations that accelerate context-based decision-making: Autonomously traverses historical data to document an adversary’s behavior from start to finish of an attack, providing the facts analysts need to take effective action.
Autonomous threat hunting to up-skill analysts: Helps threat hunters quickly construct and configure new hunts that map to MITRE ATT&CK framework tactics and techniques. Once refined and validated, these can be converted to new cadence-based threat detections.
What is a trace?
Traces are key artifacts that fully and chronologically document suspicious activity detected across an organization's infrastructure. Traces are the results of autonomous investigations which detect suspicious activity.
Trace data consists of a set of observed activities and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. You can view a trace in DeepTrace as a variety of interactive visualizations, including a summary graph, a MITRE ATT&CK matrix, a process tree, and a detailed timeline.
What permissions do I need to use DeepTrace?
To access DeepTrace and use its features in Devo, you need a specific permission, as well as other satellite permissions to access the areas where these features are used:
Feature enabler: the DeepTrace features permission is required to enable all the options and menus throughout the platform.
Auto-investigate in DeepTrace: the Finders permissions is required to open a search and the Alert configuration permission is required to define a new alert, which is where auto-investigations are configured.
Trace status: the Triggered alerts permission is required to access the alerts history area, which is where traces are displayed and monitored.
DeepTrace in the Devo platform
Devo DeepTrace allows EDR (Endpoint Detection and Response) and other data to be brought into DeepTrace. You can ingest data into Devo via your chosen collector and the data is automatically transferred across into DeepTrace cache for processing—data cache ages out after about six weeks.
The combined deployment is configured to enable alerts and EDR data investigations using DeepTrace. Devo customers that have activated it in their domain have an additional tab in their navigation pane named DeepTrace.
Sending events and alerts to DeepTrace
There are two different ways to start sending events and alerts with Devo DeepTrace:
New alert definition
You can activate auto-investigation in DeepTrace when creating a new alert definition from the Data search tab. Once the table is open, click the alert icon to create a new alert definition and select Auto-investigate in DeepTrace.
Auto-investigate in DeepTrace
DeepTrace does not allow grouping tables. When you click on Auto-investigate in DeepTrace the auto-investigation query opens your query without grouping. Here you can also modify the query that is going to be investigated by DeepTrace.
rawMessage field required
The rawMessage field must be included in the Auto-Investigation query definition (select rawMessage), even if it's not in the alert definition query. Otherwise, DeepTrace will not trigger an investigation even though the alert itself was triggered.
Data search
You can select suspicious events and send them to DeepTrace for investigation by clicking on the Engine tool button → New → Investigate in DeepTrace. You can also drag the DeepTrace icon from the tools to the main bar.
You can select one or more events from the table to send them to DeepTrace, or right click on the event to send it.
Why can't I see that option?
This option is only available when there is no grouping and at least one event is selected in the table.
Checking investigation status
Once the alert definition is created you can see the status of the alert by clicking on the Alerts or DeepTrace tabs in the navigation pane.
DeepTrace tab
Click DeepTrace in the navigation pane. A new browser window opens showing you the DeepTrace user interface.
Alerts tab
Click Alerts in the navigation pane. Check the Trace status column to see the status of your alert. You can also click on the DeepTrace icon that appears in the Action column to open DeepTrace.
There are four possible values for the alert auto-investigation status:
Status | Details |
No Trace | The investigation did not detect any threats. |
Trace Found | The investigation detected suspicious activity that needs your attention. |
Waiting | The investigation is in progress. |
Error | An error occurred which prevented the investigation from proceeding. |
DeepTrace user interface
The DeepTrace user interface enables security analysts to view the results of traces and hunts. Users can also configure new hunts, conduct ad-hoc searches, and trigger new investigations.
Navigation
In the Devo DeepTrace user interface, a navigation panel is shown along the left side of the window. The navigation panel is initially displayed in its compact state. Hovering your mouse along the far-left edge of the navigation panel causes it to expand.
The navigation panel contains the following set of links to pages of the DeepTrace user interface:
Link | Icon | Details |
Dashboard |  | Provides a general overview of:
|
Traces | 
| Displays the traces that depict suspicious activities or attacks in a searchable table format. |
Devices | 
| Shows a list of the devices implicated in the traces with the highest risk scores. |
Search | 
| Enables users to conduct ad-hoc searches for processes exhibiting suspicious behavior and hence to trigger investigations as a result. |
Hunt |
 | Enables users to browse the results of hunts that map to MITRE ATT&CK framework tactics and techniques. It also enables users to configure new hunts. Once refined and validated, these can be converted to new cadence-based threat detections. |
Triggers | 
| Shows the triggers that started autonomous investigations. |
Monitor | 
| Enables users to view Performance data, Statistics, Health data, and the list of monitored devices. |
Administration | 
| Enables users to manage DeepTrace configuration settings, such as wh itelists and data adapters. |
Log out | 
| Logs the current user out. |
Traces page
Traces are artifacts that fully chronologically document each attack chain. Traces are generated by the autonomous investigations that detect suspicious activity. A trace’s data consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities.
Traces table
The Traces page loads the list of traces from the DeepTrace server and displays the list in a table format.
The table displays the following information for each trace:
ID: Identifier of the trace. Click to open the Trace page for this trace in order to view the trace data in detail. To open the Trace page in a separate browser window, click the icon to the right of the ID.
Risk: Each trace is assigned a composite risk score from 0 (low) to 100 (high). The risk score is derived from the severity of the trace’s evidence data.
Start Date: The date and time of the first event in the trace.
End Date: The date and time of the last event in the trace.
Title: Click here to open the Trace page for this trace in order to view the trace data in detail.
Devices: The list of devices involved in the trace’s activity. Monitored devices can be listed by hostname; external devices can be listed by IP address. Click on the hyperlinked hostname of a monitored device to open the Device page and explore that device’s detailed data.
Tactics: The list of MITRE Tactics detected in the trace’s activity.
Evidence: The total count of evidence data generated for this trace.
Status: A trace can be marked as either “open” (needs attention), “closed” (has been resolved), or “ignored” (false positive, duplicate, or no action needed). Click here to change the status of a trace.
Filtering the traces table
At the top of the Traces page are three filters for determining which traces are loaded:
Date: Select the time range of the traces you wish to see. The table only loads traces which contain some activity that occurred within the selected time range.
Risk: Select the risk score range of the traces you wish to see. Each trace is assigned a composite risk score derived from the severity of the trace’s evidence data. The table only loads traces whose risk score falls within the selected risk score range.
Status: Select the status(es) of the traces you wish to see. A trace can be marked as either “open” (needs attention), “closed” (has been resolved), or “ignored” (false positive, duplicate, or no action needed). The table only loads traces whose status matches one of the selected statuses.
The Traces page searches for traces which match the filter criteria (above) and loads the results into the table.
To avoid overwhelming the browser’s memory, only the first 5,000 matches are loaded into the table. If there are more than 5,000 matches, a message appears below the table with a suggestion to use the filters to narrow your results.
Refining the traces display
Above the table there are additional controls for refining the results and their display:
Metadata filters:
Each trace has metadata associated with it (device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to show/hide traces based on their metadata.
Grouping:
DeepTrace analyzes traces to detect similarities. The Traces page enables the user to display similar traces together as groups. This can be a useful way to arrange traces and detect repeating patterns of activity across your infrastructure.
Sorting:
The traces table can be sorted by clicking on the following column titles: ID, Risk, Start Date, End Date and Title.
Changing the status of traces
To change the status of a trace, click on the dropdown in the Status column for that trace in the table.
To change the status of multiple traces simultaneously, first click the checkboxes beside each of those traces in the table. Then click on the dropdown above the table labeled “# selected”, where “#” is the number of traces you have checked.
Trace page
When clicking on a trace ID or title, the Trace page opens to show you the details of that trace. A trace is the result of an autonomous investigation that detected suspicious activity. The Trace page shows both information about the trace and the data captured by the trace.
The layout of the Trace page is divided into several sections:
Trace header
Trace data filters
Trace time chart
Trace data views
Trace Details
Each of these sections is described in detail below.
Trace header
The header of the Trace page displays information about the trace itself, such as:
the trace ID and title
the start date and end date of the trace (the dates of the first and last events included in the trace)
the number of devices involved in the trace activities
the number of triggers which caused the trace to be generated
the total count of evidence that was generated by the trace
the trace status
the severity of the trace (derived from the severity of all the evidence included in the trace)
Trace data filters
Below the Trace page header are a set of UI controls for filtering the Trace evidence:
Summarize: The Summarize button enables you to apply a smart filter to the evidence with just one click. When Summarize is turned on, only the evidence with the most cumulative weight is shown. The summarized dataset is derived by first computing cumulative risk scores for each device in the trace based on the corresponding evidence. Then the dataset is filtered to highlight the top devices by risk score. In some cases, lower-risk evidence may also be included in order to preserve connections between devices.
Keyword search: Use the textbox to search the evidence by keyword. Examples of valid keywords include usernames, host names, process names, domains, port numbers and file hashes.
Metadata filters: To filter evidence by metadata, use the metadata dropdowns above the time chart.
Each piece of evidence is associated with metadata (e.g., device, domain, process, username, tactic, technique, etc.). Use the metadata dropdowns to filter for evidence based on its metadata. Your metadata selections will be applied simultaneously to the time chart, the network graph and the evidence table.
Trace time chart
Below the trace filters is a time chart which shows the distribution of evidence found over the duration of the trace. This provides you with insight regarding the trend of the evidence.
To filter the evidence by time, drag your mouse over a slice of the time chart. This will filter the evidence displayed below the time chart in the trace views and Details panel by the selected time range.
Trace details
The area below the Trace time chart is divided into two sections:
On the left: Trace data views – visualizations of the trace evidence.
On the right: Trace Details panel – the data from which the visualizations are generated.
The Trace details panel contains 3 tabs:
Evidence tab: Shows the evidence in a simple list format sorted chronologically. Click on any evidence in the list to view additional information for that evidence, such as the process command line.
Processes tab: Use this tab browse the data by process first, then click on any process to view the evidence for that process.
Triggers tab: A list of the triggers that caused this Trace to be generated.
Trace data views
Trace data generally consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. The Trace page can show this data in six views:
Attack Chain
Network
Sequence
MITRE
Processes
Timeline
Each of these views is available as a tab near the top of the Trace page. Click any of these tabs to toggle between the views.
Trace Attack Chain view
Click the “Attack Chain” tab to view the evidence in chronological order along a single linear chain. Attack Chain view provides a concise overview of the evidence in the Trace.
Use the buttons near the top-left corner of Attack Chain view to zoom in & out, toggle the evidence descriptions and customize the number of columns in the display. Click the evidence in the Attack Chain view to filter the Details panel by that selected evidence.
Trace Network view
Click the “Network” tab to view a network graph where each graph node is a device and each graph link is a network connection from one device to another. This provides you with insight regarding the topology of the evidence.
Note that the Network graph uses color coding to indicate the severity of the evidence, ranging from blue (low) to red (high).
Additionally, the Network view supports ad-hoc filtering of evidence in the Details panel:
To filter the evidence by device, click on a node in the graph. This filters the table to show the evidence for the selected device.
To filter the evidence by a network connection, click on a link in the graph.
Trace Sequence view
Click the “Sequence” tab in the Trace page to view the trace evidence as a sequence diagram. In Sequence view, the evidence is laid out chronologically across multiple columns, one column per each device where evidence was found. Evidence of a network connection is rendered on an arrow stretching from the column of the source device to the column of the target device. As a result, Sequence view tends to draw more attention to network connections, making it a suitable view for observing lateral movement. Network view also emphasizes network connections; however, Network view does not indicate chronology. In contrast, Sequence view has both a time axis (vertical) and a spatial axis (horizontal).
Use the buttons near the top-left corner of Sequence view to zoom in & out and toggle the evidence descriptions in the display. Click the evidence in the Sequence view to filter the Details panel by that selected evidence.
Trace MITRE view
Click the MITRE tab in the Trace page to view the trace evidence mapped onto the MITRE ATT&CK Matrix for Enterprise. The matrix is an industry-standard categorization of adversary tactics and techniques. Across the top of the matrix are the MITRE tactics. Underneath each tactic are the MITRE techniques that correspond to that tactic.
The Trace MITRE view is composed of a tactic & technique matrix where each technique that was detected by the trace is shown color coded by the highest severity of the corresponding evidence, along with a badge displaying the evidence count. Techniques for which no evidence was detected are shown as grayed out.
Click on Show Detected Techniques Only to see only the techniques for which some evidence was detected. This is a useful way to make the matrix more compact and easier to read.
Trace Processes view
Click the Processes tab in the Trace page to view the trace evidence mapped onto the process trees of the monitored devices involved in the trace.
The processes view identifies the cohort commands and relationship graph executed by the offending user or malware out of the thousands of processes that executed within the device and were associated with the trace. This helps to quickly review the attack’s footprint. Each graph node is a process implicated in the trace. Arrows point from parent processes to the child processes which they spawned. This provides you with insight regarding dependencies.
Note that the process graph uses color coding to indicate the severity of the evidence, ranging from blue (low) to red (high).
The process graph shows the process tree for a single device at a time. Use the dropdown in the top-left corner of the graph to pick the device that you wish to view the process tree for.
The process graph visualizes the process tree as a set of nodes in a hierarchical layout. Processes are shown as rectangular nodes. For additional context, network connections are also included in the graph; the connection targets are shown as round nodes. Arrows connect parent processes to the child processes they have spawned and/or the network targets they have initiated connections to.
The process tree can include additional nodes in order to provide context or to preserve the integrity of the graph. These processes might not have any corresponding evidence and are shown as grayed out.
Use the buttons in the top-right corner of the process graph to manipulate the graph display:
Button | Icon | Description |
Show Vertical Layout |  | Toggles the graph orientation from horizontal to vertical. |
Show Network Connections Only | 
| When turned on, only the processes which were involved in network connections will be highlighted. Other processes are grayed out. |
Show Cross Process Activity Only | 
| When turned on, only the processes which were involved in cross process activity (either as the initiator or the target) are highlighted. Other processes will be grayed out. |
Show Condensed Layout | 
| This option is a useful way to make the graph more compact and easier to understand at a high level. When turned on, sibling graph nodes are merged together if either: (a) they are processes which share the same process filename; or (b) they are network connection targets which share the same hostname or domain; or (c) they are network connection targets which share the first 3 octets of their IPv4 addresses. |
As in the other trace views, the processes view supports ad-hoc filtering of evidence in the Details panel. To filter the evidence by a specific process, click on a process node in the process graph. This will filter the list to show the evidence for the selected process. If you click on a process which is not associated with any evidence, then no evidence will be shown in the list but you can still view process details, such as the command line, process ID and other properties.
Trace Timeline view
Click the Timeline tab in the Trace page to view all the trace evidence in a single chronological linear display.
The evidence list is shown in a table layout and ordered chronologically. For each process that generated evidence, the display shows the following information:
The device on which the process executed.
The process filename.
The IDs of the process’s parent and the process itself.
The process command line.
The date, time and description of the process’s evidence with the highest risk severity.
To conserve space, additional process information is not shown initially but can be revealed by expanding the process’s display. Clicking the arrow to the left of the process filename to expand that process’s display and reveal:
The local username used to execute the process.
The full path of the process file.
Hashes (MD5, SHA-1, SHA-256) of the process executable.
You can click individual arrows to expand/collapse processes one at a time, or click the Expand All button to expand/collapse all the processes simultaneously.
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Whitelist: Click here to open a popup that allows you to add this process to DeepTrace’s whitelist. You will be given the choice to whitelist either the process name, full path, or command line. Whitelisted items no longer generate evidence in future autonomous investigations.
Ignore Evidence: Unlike ad-hoc filtering which simply shows/hides evidence from the current display, suppressing evidence is a persistent action. Once a piece of evidence is suppressed, it will no longer be included in subsequent viewings of the trace.
Take Action: You may wish to perform some other action in response to the evidence in the trace, such as conducting lookups on the discovered hashes, IPs and domains. DeepTrace supports a set of such actions (configurable by admins). Click the Take Action button. This will open a popup with a list of response actions configured by your DeepTrace admin.
You may choose an action from the Actions list, input whatever parameters are required by the action, then click Take Action to invoke the action and await its results.
Devices page
The Devices page shows a list of devices that are implicated in traces within a selected time range.
Rather than displaying the full list of all devices monitored by DeepTrace, the Devices page highlights the devices implicated in traces with elevated risk scores. The list is generated by first scanning the riskiest traces within a time range of your choosing. A list of implicated devices is extracted from those traces. Each device is then assigned a cumulative risk level based on the severity of the trace evidence for that device. The Devices page displays the device list sorted from highest risk level to lowest.
To browse a list of all monitored devices, regardless of their risk assessment, navigate to the Monitor > Devices page.
Clicking on a device in the list redirects you to the Device page for that selected device. On the Device page is detailed information about the device, including the list of traces in which the device is implicated, the list of processes detected on the device, and additional device statistics.
Device page
The Device page shows you the internal details of a selected endpoint monitored by DeepTrace. The Device page shows both information about the device and the activity data observed on the device.
Device information
The header of the Trace page displays information about the device itself, such as:
The hostname.
The IP address.
The OS type.
The type and version of the endpoint agent that monitors the device activity.
The dates when activity data was first and last seen for the device.
The date of the last bootup reported for the device.
Device data views
Device data generally consists of a set of observed events (“activities”) and their corresponding “evidence”—that is, DeepTrace’s analysis of those activities. The Device page can show this data in four views:
Traces
Processes
Summary
Raw Events
Each of these views is available as a tab near the top of the Device page. Click any of these tabs to toggle between the views.
Device Traces view
The Device Traces view displays the traces within a given time range which implicate the device. The display uses a format similar to the display of the Traces page.
As in the Traces page, the Device Traces view shows the list of traces in a table. There are controls above the table for filtering the traces and refining the display, including grouping and sorting options.
Device Processes view
The Device Processes view displays the processes that were found running on the device within a selected time range.
The processes can be displayed in either of two displays:
Table: The processes are rendered as rows in a hierarchical table. The table displays details for each process (such as command line and evidence found, if any). Each parent process is rendered with an arrow beside it. Click the arrow to reveal the child processes of that parent process. This display is useful for browsing the process tree selectively, expanding branches of interest while collapsing others.
Graph: The processes are visualized as a hierarchical graph, similar to the graph in the Trace page > Processes view. This display is useful for understanding the overall process tree at a glance. Click on an individual process in the graph to view its details in the panel below the graph.
To toggle between the Table display and the Graph display, use the two toggle buttons in the middle-right of the page:
Note that both Table and Graph displays use color coding to indicate the severity of the evidence, ranging from blue (low) to red (high). The Table in particular uses separate color coding for the process name and the expander arrow. Whereas the process name is color coded by the evidence for that process, the expander arrow is color coded by the evidence for its descendant processes. Thus the expander arrow’s color coding can help guide you to the nested processes that have interesting evidence.
Above the process data are controls for selecting a time range. Rather than blindly selecting an arbitrary time range, these controls use evidence from prior investigations to guide you towards selecting time ranges with interesting data. To learn more about selecting a time range in this view, see the later section, Device Page > Selecting a Time Range.
Device Summary view
The Device Summary view displays statistics for activity that was observed on the device within a selected time range.
Above the statistics data are controls for selecting a time range. Rather than blindly selecting an arbitrary time range, these controls use evidence from prior investigations to guide you towards selecting time ranges with interesting data. To learn more about selecting a time range in this view, see the later section, Device Page > Selecting a Time Range.
Device Raw Events view
The Device Raw Events view displays the activity that was observed on the device within a selected time range. This is the granular data that comprises the statistics you see in the Device Summary view. You can choose to browse the following types of events:
Network connections.
Registry activity.
File activity.
Process activity.
Library loads.
The results are displayed in a table format.
To sort the results, click on the title of the column you wish to sort by.
To view the raw event record for a result, click the arrow to the left of the result.
Above the results table are controls for selecting a time range. Rather than blindly selecting an arbitrary time range, these controls use evidence from prior investigations to guide you towards selecting time ranges with interesting data. To learn more about selecting a time range in this view, see the next section, Selecting a Time Range.
Selecting a Time Range
Each of the Device data views has controls for selecting a time range. Your time range selection is used to filter the data displayed in the view.
In the Device Traces view you are browsing a list of traces, and your selected time range filters that list. In the three other Device data views, however, you are browsing lists of processes, which are far more granular than traces. Therefore, in those three other views, you need to be more restrictive with your time range filter.
Why? Simply put, processes can come and go frequently. Some processes may run for weeks while others may run for less than a second. For this reason, process tree data can grow quickly. Browsing just a few minutes of process data can yield a large unwieldy dataset. For this reason, the three Device data views which show processes (namely: Processes view, Summary view & Raw Events view) only load a 10-minute window of process data by default. You still use a calendar to choose time ranges for these three views, but you must then also select a 10-minute window within the chosen time range.
To choose a 10-minute window, these three views display a time series chart. The chart spans the same time range that you select in the calendar. Your 10-minute window is shown as a light blue vertical slice within the chart.
Click in the chart to move the light blue slice to a different window of time. The selected time window is shown in text below the chart.
Your time window is 10 minutes by default. You can modify the width of the window using the light blue dropdown.
If you selected a time range for your chart which is much longer than an hour, your 10-minute time window may appear less like a band and more like a line due to the chart’s time scale. This can make it challenging for you to select a 10-minute window accurately with precision. When you want more precision, use the chart’s zoom controls:
In the top-right corner of the chart, click the Mode: Zoom button (the button with the zoom icon). This toggles the chart into Zoom mode.
Once the chart is in Zoom mode, use a drag gesture to select a time interval that you wish to enlarge. After you complete the drag, the chart zooms into that interval.
While in Zoom mode, clicking on the chart does not move your 10-minute window. Likewise, a drag-zoom operation will not modify your previously selected 10-minute time window. It is only an optical zoom.
Repeat the drag as needed to continue zooming further if desired. Once you have zoomed in sufficiently, your 10-minute time window might look less like a line and more like a band.
Once you are done zooming, click the Mode: Select button (the button with the hand icon) in the top-right corner of the chart. This toggles the chart back to Select mode (which is the default).
Once you are back in Select mode, you can click on the chart to move your 10-minute window, as before.
To zoom out back to the original scale of the chart, click the Reset Zoom button in the top-left corner of the chart.
Due to the high volume and high granularity of process data, choosing a 10-minute window of interesting data can be like looking for a needle in a haystack. With that in mind, the time charts in these three Device views use color coding to help guide you towards interesting data:
The time chart looks for boot records that intersect the time span of the chart. Time intervals for which there is a boot record are shown in the chart as white; time intervals for which no boot record is found are shown as gray. This helps you avoid choosing a 10-minute time window during which the device may have been offline.
The time chart also looks for evidence that occurred during the time span of the chart. If found, the distribution of evidence is plotted on the chart, using color coding based on the severity of the evidence. This helps you choose 10-minute time windows during which interesting activity is more likely to have occurred.
You can also filter the evidence displayed on the time chart. Use the controls above the time chart to filter the evidence based on the risk and status of the traces that generated the evidence, as well as the evidence metadata. This allows you to hone your search for interesting activity more precisely. For example, if you are interested in a particular process, then you can filter the time chart’s evidence by that process, so that you have a clearer view of when that process exhibited interesting behavior. Note that the time chart filters have no effect on the process data below the chart; they only apply to the evidence plotted on the chart.
Search page
Search page allows you to perform ad-hoc searches for processes exhibiting specific behaviors. The search results can then be used to trigger autonomous investigations.
Defining a search query
At the top of the Search page is a form for defining your search. To define a search, you must specify a time range and a query expression. You can optionally specify a host (either a hostname or IP address) to target a specific device; otherwise your search is performed across all monitored devices.
The search’s query expression is provided using a simple search query language. Use this query language to target specific behaviors, including file access, registry access, network communications, and combinations thereof. You can find examples of search queries by clicking the help button which pops up a separate window with examples.
Query operators
Find below the supported operators of the search query language.
Operator | Details |
&& | And operator for multiple conditions. |
|| | Or operator for multiple conditions. |
!=,NE,ne | Non-equality operator and can be applied for numeric and time fields. |
>,GT,gt | Greater than operator and can be applied for numeric and time fields. |
<=, LE, le | Less than or equal to operator and can be applied for numeric and time fields. |
>=, GE, ge | Greater than or equal to operator and can be applied for numeric and time fields. |
~, CONTAINS, contains, LIKE, like | Equality operator for partial matches and can be applied to string fields. |
BEGINS, begins | Start with an operator for string fields. |
ENDS, ends | Ends with operator for string fields. |
IN, in | Find partial matches across multiple comma separated variables. For example, "HKLM\SYSTEM,HKLM\SOFTWARE". |
Query fields
The tables below list the fields which you can use in your query expressions.
Process fields: Use these fields to qualify a process based upon its properties.
Field | Description |
process.filename | Filename of the process. |
process.pid | Process identifier of the parent process. |
process.command | Command line for the process. |
process.image | Process path for the process. |
process.username | Name of the user creating the process. |
process.utc | Start time of a process in UTC. |
process.exit_utc | Exit time of a process in UTC. |
process.raw_event | Raw event of the process creation. |
process.child_count | Number of direct children of the process. |
process.md5 | MD5 hash of the process. |
process.sha256 | SHA256 hash of the process. |
Parent process fields: Use these fields to qualify a process based upon the parent process which spawned it.
Field | Description |
parent_process.filename | Filename of the parent process. |
parent_process.pid | Process identifier of the parent process. |
parent_process.ppid | Process identifier of the parent process. |
parent_process.command | Command line for the parent process. |
parent_process.image | Process path for the parent process. |
parent_process.username | Name of the user creating the parent process. |
parent_process.utc | Start time of the parent process in UTC. |
parent_process.exit_utc | Exit time of the parent process in UTC. |
parent_process.raw_event | Raw event of the parent process creation. |
parent_process.md5 | MD5 hash of the parent process. |
parent_process.sha1 | SHA1 hash of the parent process. |
parent_process.sha256 | SHA256 hash of the parent process. |
Library fields: Use these fields to qualify a process based upon the libraries that it loaded.
Field | Description |
library.filename | File name of the library loaded by a process. |
library.file_path | File path of the library loaded by a process. |
library.utc | Start time of the library loaded by the process in UTC. |
library.raw_event | Raw event of the library load. |
library.md5 | MD5 hash of the library. |
library.sha1 | SHA1 hash of the library. |
library.sha256 | SHA256 hash of the library. |
Action fields: Use these fields to qualify a process based upon an action that it took (i.e., a file action or registry action).
Field | Description |
action.count | Number of file or registry or file action. |
action.type | Type of the file action. Options include file or registry. |
action.target | Target field of a given action. Can include registry field or filename or process for cross-proc activities. |
action.raw_event | Raw event of the action. |
action.utc | Execution time of the file/registry by the process in UTC. |
Network fields: Use these fields to qualify a process based upon the network connections that it is associated with.
Files | Details |
network.count | Number of network connections associated with a process. |
network.src_ip | Source IP of the network connection. |
network.src_port | Source port of the network connection. |
network.dst_ip | Destination IP of a network connection. |
network.dst_port | Destination port of a network connection. |
network.initiated | Indicates whether the connection was initiated (1) or terminated (0) by the process. |
network.protocol | Protocol used for the network connection. |
network.utc | Network connection time by the process in UTC. |
DNS fields: Use these fields to qualify a process based upon DNS lookups that it performed.
Files | Details |
dns.hostname | Hostname looked up by the process. |
dns.raw_event | Raw event of the DNS lookup. |
dns.utc | DNS lookup time by the process in UTC. |
Streaming data
Once you have submitted your search, the search is queued and then executed in the background on the server.
The time required to complete the search varies depending on your search’s time range and target host(s). For lengthy searches, you might start to see partial results streaming into the results table while the search is still in progress.
Above the results table are the controls for the auto-refresh feature. Auto-refresh determines how the table handles partial results whenever newer results become available.
When auto-refresh is turned on, the table automatically updates (i.e., possibly replace) partial results as soon as newer results become available. If you do not want partial results to be automatically updated, turn auto-refresh off.
When auto-refresh is turned off, partial results are not updated automatically. Instead, when newer results become available, you are prompted with a message. The table isn’t updated until you click on that message. This allows you to continue browsing partial results without worrying that they might be replaced unexpectedly.
Working with results
The search results are displayed in a table at the bottom of the page. Each record in the table is a process which matches the criteria in your search query. The table displays the following information for each process:
Start and end time (if any).
The hostname, IP and DeepTrace ID of the device.
The filename and command line of the process.
The ID of the process’s parent and the ID of the process itself.
To view expanded process information, click the arrow to the left of the record. This displays the process’s full path, hashes, username and raw event JSON.
To sort the results by a particular column, click the column title at the top of the table.
To refine the results even further, you can filter by keyword or by particular field values. Records that are filtered out are hidden from the results table. To bring those records back, simply clear your selection.
To filter by keyword, enter the text into the text box above the table.
To filter by field values, use the dropdowns above the table.
Use the ellipsis button to the right of each record to take further action on an interesting result. Clicking the ellipsis button opens a menu with the following options:
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Investigate this Event: Click here to open a popup that allows you to trigger an autonomous investigation based on this process. You are prompted to choose an initial time window around the process in which to investigate suspicious activity. If suspicious activity is detected, the investigation generates a new trace.
Hunt page
What is a hunt?
In DeepTrace, a hunt is an intelligent search which looks for suspicious behavior. Hunts can be executed (“run”) once or on a recurring schedule. The results of hunts can be used to start a DeepTrace investigation either automatically or manually. The Hunt page allows you to browse the status and results of these hunts, and to configure custom hunts as well.
Hunts table
The Hunt page loads the list of hunts that are configured in your system and displays the list in a table format.
The table displays the following information for each hunt configuration:
Title of the hunt, plus a brief description based on the hunt’s search type.
MITRE Tactic & technique that the hunt is intended to detect.
Schedule: Whether the hunt is scheduled to recur or only execute once.
Auto-investigate: Whether the hunt is configured to automatically trigger an autonomous investigation on its results (if any).
Sharing: Whether the hunt is available to all DeepTrace users, certain selected users, or only the current user.
Status: Whether the hunt is disabled, enabled or completed.
Author: The DeepTrace user who created the hunt configuration.
Created: Date and time.
Last run: Date and time (if any).
Results: A trend chart showing the total result counts from the last 12 runs of the hunt (if any).
Refining the hunts display
Above the table there are additional controls for refining the table display:
Filters: Use the dropdowns to show/hide hunts based on their configuration properties.
The Results filter dropdown is particularly useful for finding hunts based on whether or not they have found any results (“matches”).
Grouping: Hunt configurations can be arranged as either a flat list or in groups. The view dropdown allows you to choose how you would like the hunts to be grouped.
Sorting: The hunts table can be sorted by clicking on the following column titles: Enabled/Disabled, Title, Status, Author, Created and Last Run.
Browsing the hunt results
A hunt can be configured to run once or on a recurring schedule. Click on the title of a hunt configuration in the hunts table to browse the results of its runs.
Clicking the hunt title opens a panel which allows you to pick from a list of runs (if any) for that hunt configuration. At the top of the panel is the title of the selected hunt configuration. Beneath the title is a dropdown list of runs for that configuration. If the hunt has never been run, the list of runs will be empty. If the run was configured to run on a recurring schedule, you might find several runs in the list. Select a run to view the results in the table below the list.
Each record in the results table is a process which matches the hunt’s search query. The table displays the following information for each process:
Start and end time (if any).
The hostname, IP and DeepTrace ID of the device.
The filename and command line of the process.
The ID of the process’ parent and the ID of the process itself.
To view expanded process information, click the arrow to the left of the record. This displays the process’s full path, hashes, username and raw event JSON.
To sort the results by a particular column, click the column title at the top of the table.
To refine the results even further, you can filter by particular field values. Records that are filtered out are hidden from the results table. To bring those records back, simply clear your selection.
To filter by field values, use the dropdowns above the table.
Use the ellipsis button to the right of each record to take further action on an interesting result. Clicking the ellipsis button opens a menu with the following options:
View Event Details: Click here to open a popup that displays raw event details about the process. This popup also contains tabs for searching for activities conducted by the process, such as
file activity
registry activity
library loads
network connections
View In Device Explorer: Click here to be redirected to the Device page, where you can view the selected process in the context of the process tree for its host.
Investigate this Event: Click here to open a popup that allows you to trigger an autonomous investigation based on this process. You are prompted to choose an initial time window around the process in which to investigate suspicious activity. If suspicious activity is detected, the investigation generates a new trace.
Managing Hunts
The Hunt page supports managing hunts, including editing, duplicating and deleting hunt configurations.
Each hunt configuration in the hunts table is shown with an ellipsis button beside it (far right). Clicking the ellipsis button opens a menu with the following options:
View Results: Click here to open a panel with the results of the hunt’s runs, if any. This is the same as clicking on the hunt’s title.
Enable/Disable Hunt: Click here to toggle the hunt’s status between enabled and disabled.
Start Hunt: Click here to manually start a run of this hunt now regardless of its schedule.
Settings/Edit Hunt: Opens a popup for editing the hunt’s configuration. Users who have permission to edit the hunt see Edit Hunt; otherwise, this menu option says Settings and the popup only shows the hunt’s configuration as read-only.
Duplicate Hunt: Opens a popup for editing the configuration of a new hunt. The popup is automatically pre-populated with the same configuration settings as the selected hunt. Use the popup to make any changes needed, then click Save to save the configuration for this new duplicate hunt.
Delete Hunt: Deletes the hunt configuration and its run results (if any).
Configuring Hunts
The Hunt page supports the creation of custom hunt configurations and the editing of configurations of your existing hunts.
To configure a new hunt, click the New Hunt button above the hunts table. This opens the hunt configuration editor.
To edit the configuration of an existing hunt in the hunts table, click the ellipsis button to the right of the hunt, then click the menu option Edit Hunt. This opens the hunt configuration editor (you only have permission to edit hunts that you own).
The Hunt Configuration Editor allows you to specify the following information regarding your hunt:
Title of the hunt configuration.
State: Whether the hunt is enabled or disabled. A disabled hunt doesn’t execute on its schedule until it has been enabled.
Search Type: DeepTrace supports a number of different types of intelligent hunts. Click on the dropdown to browse the list. Clicking on an option from the list displays a description of that option. If you select an option that requires additional parameters, then you are prompted for those parameters as well. For example, if you select the “Suspicious powershell cmdlets” option, then you are prompted to input the cmdlet.
Device: You might optionally specify a hostname or IP address to limit your hunt. Otherwise, the hunt covers all monitored devices by default.
Auto-investigate Hunt Results: If you enable this feature, then the results from the hunt are used to automatically trigger a DeepTrace autonomous investigation. If that investigation finds suspicious evidence, it results in the generation of a new trace. Otherwise, if you do not enable this feature, you can still browse the hunt results from the Hunt page, where you will have the opportunity to manually trigger an investigation if you wish.
Schedule: Choose whether to run this hunt one time or on a recurring schedule. The results of each run are available for browsing in the Hunt page.
Sharing: You can share your hunt with other DeepTrace users. When a hunt is shared, only the owner can modify its configuration. However, other users can create their own duplicate copy of the hunt which they can then modify as desired.
Tags: Set custom tags on your hunt configurations in order to help you stay organized. By convention, it is customary to specify at a minimum the MITRE Tactic & Technique that the hunt is intended to detect.
Notes: Notes is a free-form text area where you may specify whatever additional context is helpful pertaining to the hunt.
Triggers page
The Triggers page allows you to browse the triggers that were investigated by DeepTrace. In DeepTrace, investigations can be triggered by:
Devo alerts: Alerts in Devo can be configured to auto-investigate their results in DeepTrace. This includes imported alerts from EDR sources.
Devo hunts: Devo users can manually send search results to DeepTrace for further investigation.
DeepTrace hunts: DeepTrace hunts can be configured to auto-investigate their results. Alternatively, DeepTrace users can manually initiate investigations from the results of a DeepTrace hunt or a DeepTrace ad-hoc search.
Click on the ID or title of the trigger to view its details, including the list of traces and implicated devices (if any) which resulted from the investigation.
Monitor page
The Monitor page allows you to access the following pages which pertain to the health of the system:
Performance: Shows a pre-configured dashboard of graphs for plotting key hunting and system statistics.
Statistics: Shows the raw real time statistics associated with various micro services. Typically, useful for troubleshooting various functions which may be asked by the supported team.
Health: Shows the general health of the system including key system resources.
Devices: Shows a list of the endpoints currently being monitored.
Administration page
The Administration page allows users with administrator privileges to access various settings pertaining to the configuration and administration of DeepTrace. The page is divided into these sections:
Download Event Forwarded Installers
Analysis
System
The contents of each section are listed below. Note that some content is only available when DeepTrace is deployed in Standalone mode rather than integrated with a Devo deployment.
Section | Contents |
Device Management |
|
Download Events Forwarded Installer |
|
Analysis |
|
System |
|