Document toolboxDocument toolbox

Triaging alerts

Overview

Alerts that match the criteria of the filters applied will appear at the top of the Triage area after clicking the Filter button.

Depending on how you group the alerts filtered, that is, the option you choose in the Group by setting, the results will be displayed in a different way. See below the things you can do in each specific case.

No grouping

This option will show alerts displayed individually in the results table.

1

Click the arrow next to each alert ID to show the entities related to the alert.

2

Click to copy the alert ID to your clipboard.

3

Click the alert description to see more details about the alert. Learn more about this view here.

4

Change the status of the alert.

5

Assign the alert to a specific user in the domain.

6

Add a comment to the alert.

7

Add the alert to the investigation list.

Alerts grouped by entity

This option will retrieve groups of triggered alerts that have a set of entities in common. You will see a set of common entities with the corresponding alerts below it, as shown in the picture below:

1

Check the diversity and count of the alert properties in the group.

2

Number of triggered alerts in the group.

3

Click to see more details about each triggered alert in the group. Learn more about this view here.

4

See more details about this entity.

5

Change the status of the alerts in the group.

6

Add tags to this alert group.

7

Add the alert to the investigation list.

8

This icon indicates that this alert group has been added to an investigation.

Alerts grouped by type

This option will retrieve groups of alerts that have the same type, priority and ATT&CK tactic/technique.

1

Number of triggered alerts in the group.

2

Click to check the alerts in the group.

3

Click the ID to see more details about the alert. Learn more about this view here.

4

Click to copy the alert ID to your clipboard.

5

Change the status of this alert.

6

Assign the alert to a specific user in the domain.

7

Add tags to this alert.

8

See more details about this entity.

9

Add this group of alerts alert to the investigation list.

10

Change the status of all the alerts in the group. You can also add a comment to indicate the update in the same window that appears.

11

Add a comment to the alert.

12

Add the alert to the investigation list.

After filtering alerts, users can perform the following actions:

Run an investigation from a filter

After applying a filter in the Triage area, you can create an investigation based on a single alert or a group of suspicious alerts by clicking the Add to investigation button (see where to find it depending on how you’re filtering alerts in the section above).

All the alerts added to an investigation in this way will be stored in the Investigation list, which you can access by clicking the paper clip icon at the top right of the application. 

Note that the investigation will not be created until you click the paper clip icon, select the required elements, and define the required investigation. Learn more about this in the Investigations section.

Check the details of a group of alerts

After filtering alerts in the Triage area, you can get both individual alerts or groups of alerts. In the case of groups, you can see the number of alerts in the group by checking the number in the lightning icon next to each group.

To obtain more details about the alerts in each group, click the name of the group in the Description column (if you are not grouping your alerts or grouping them by entities), or the alert ID (if you’re grouping alerts by type).

You will access a window that shows a description in the top area, and different areas:

The top part of this area shows the entities related to the group of alerts, the type of alert, the name of the alert, the table where the alert is defined, the corresponding MITRE techniques and tactics, the message and the description.

Next to the list of related entities, you have the Add to investigation button that you can use to add this group of alerts to a new or existing investigation.

You can also open the LINQ code of the alert by clicking this icon 

Click Run query at the bottom of the window to access the Hunting area. Check the Open in a new tab option to open the query in a new browser tab.

This section contains three different areas:

  • (1) The timeline itself, which shows the evolution of the alerts during the time period indicated in the selector at the top right part of the area. Click the refresh button next to it to update the timeline. Also, you can check the Related checkbox to see other alerts related to these entities.

  • (2) The Alerts Triggered area, which shows a list of individual alerts triggered during the period selected in the timeline. Click on the alert to see the alert description at the right part. Use the buttons at the bottom to choose the number of alerts to show and navigate through the different pages. You can perform the following actions on each alert:

  • (3) The individual description of the alert, which shows the name of the alert, its criticality, date when it was triggered, message and description, entities involved, and alert state (unread, false positive, new, etc). You can also check the extra data the alert contains.

You can find the Associations section in both alerts and investigations. Associations are related to entities, which are a basic concept in the Security Operations application. There's a background process in charge of getting all the IP addresses, hostnames, URLs, and so forth from the available sources (those are the entities) and adding them to a multi-model database. When a new entity is found, it won't have any association with other ones. However, when it is found again in the same source or in a different one, the system will start defining the relationships in the database. These relationships between entities can be checked in this area.

The processes that take this information are called context flows, and they are constantly executing queries against the union tables and also against the base tables. The configuration of these flows is performed by  Devo security experts when first installing the Security Operation app on a new domain. Note that the initial entities loading process from the origin tables to the entities database will take some time, and this info will be updated as new data arrives at the tables.

Entities are divided into 2 different types, and each of them has 4 different types: System (hostname, IP, location and URL) and User (name, email, domain and account). Entities have a relatively short TTL (time to live): one week in case of User-type entities and 24 hours in case of System-type ones. After this period, entities are deleted from the database and won't be available in the application. However, if you access an entity, its TTL will be extended for another 24 hours or week, depending on the type.

When you click the Associations button in the alerts group description, you will find the associations that correspond to one of the entities with default values.

The graph in this area shows entities as nodes, and the relationships between them are represented with arrows. The nodes in the graph have different sizes depending on the impact. Hover over a node to see the following information: 

firstSeen

Date when the entity was first identified.

Impact

Magnitude value of the entity (1-100)

degree

The number of connections from nodes related to the entity, both incoming and outcoming.

ttl

Time until the entity is invalid beginning from first seen, and aging by last seen (time to live)

lastSeen

Last time the entity was detected.

Type

The type of the entity (system or user)

There is a default query when you open the tab, and you can change the settings in the left section. These are the available visualization options of the graph, divided into two different tabs (Query filters and Graph visualization):

Query filters

Relationships

Choose to display Incoming or Outgoing associations or both.

Limit

Set the number of nodes you want to show.

Depth

Indicate the number of jumps.

Impact

Filter by impact, applying the operations to get the required results.

The impact is a value calculated for each entity at the moment it is stored in the entities database. It is based on an algorithm plus a combination with the number of connections an entity has. The values are from 1 to 100, when 100 is the highest impact and 1 the lowest. High impact is something to take into account and makes the entity behavior more critical. The nodes in the graph are bigger when the impact is higher.

Entities

Choose an entity type (system or user) and property (from the available ones), then enter a specific value in the text field to filter by and click the Add button. Keep adding the required values to apply all the specified filters by repeating this process.

Query to trigger

Check the query that will be triggered to represent the graph.

 

Graph visualization

Clustering

Organize the nodes in your graph according to their Impact or PCR (Producer-Consumer Ratio). Check the corresponding toggles to apply the required organization method.

Shortest Path

Enter a source and a target entity in the From and To fields and click the Search button to highlight the shortest path between those elements in the graph. You can also indicate the source and target nodes by clicking them in the graph. You will find additional info about the highlighted path in the Path Info area.

Nodes that show a + icon have incoming or outcoming relationships that are hidden by default. You can show the node relationships by right-clicking the + icon, then selecting Expand Incoming or Expand Outgoing. Note that user-type entities have only outgoing relationships.

Under the graph, you can see a timeline where you can check the history of one or several entities. Use the keys under the timeline to navigate through it and see the evolution in the graph.

Â