Alerts that match the criteria of the filters applied will appear at the top of the Triage area after clicking the Filter button. Filtered alerts are grouped by entities (IP addresses, users...) and ordered by priority and date.
After filtering alerts, users can perform the following actions:
Run an investigation from a filter
After applying a filter in the Triage area, you can create an investigation based on a group of suspicious alerts by clicking the + icon that appears at the top right corner of each group.
Learn more about this in the Investigations section.
Check the details of a group of alerts
After filtering alerts in the Triage area, you can get both individual alerts or groups of alerts that share entities, and are grouped to make the analysis easier. In the case of groups, you can see the number of alerts in the group checking the number in the lightning icon next to each group.
To obtain more details about the alerts in each group, click the name of the group. You will access a window that shows a description in the top area, and 2 different areas at the bottom: Timeline and Associations.
The top part of this area shows the entities related to the group of alerts, the type of alert (in the example above is Detection), the name of the alert (in the example, Power shell exec bypass), the table where the alert is defined, the corresponding MITRE techniques and tactics, the message and the description.
Next to the list of related entities, you have the + button that you can use to add this group of alerts to a new or existing investigation.
This section contains three different areas:
- The timeline itself, which shows the evolution of the alerts during the last 24 hours. You can indicate a different time period and click the Filter button to show the alerts in that period.
- The list of individual alerts that belong to this group. Click on the alert to see the alert description at the right part. Use the buttons at the bottom to choose the number of alerts to show and navigate through the different pages.
- The individual description of the alert, which shows the name of the alert, its criticality, date when it was triggered, message and description, and alert state (unread, false positive, new, etc).
You can find the Associations section in both alerts and investigations. Associations are related to entities, which are a basic concept in the Security Operations application. There's a background process in charge of getting all the IP addresses, hostnames, URLs, etc from the available sources (those are the entities) and adding them to a multi-model database. When a new entity is found, it won't have any association with other ones. However, when it is found again in the same source or in a different one, the system will start defining the relationships in the database. These relationships between entities can be checked in this area.
Entities are divided into 2 different types, and each of them has 4 different types: System (hostname, IP, location and URL) and User (name, email, domain and account). Entities have a relatively short TTL (time to live): one week in case of User-type entities and 24 hours in case of System-type ones. After this period, entities are deleted from the database and won't be available in the application. However, if you access an entity, its TTL will be extended for another 24 hours or week, depending on the type.
When you open the Associations tab in the alerts group description, you will find the associations that correspond to one of the entities with default values.
The graph in this area shows entities as nodes, and the relationships between them are represented with arrows. The nodes in the graph have different sizes depending on the impact. Hover over a node to see the following information:
|firstSeen||Date when the entity was first identified.|
|Impact||Magnitude value of the entity (1-100)|
|degree||The number of connections from nodes related to the entity, both incoming and outcoming.|
|ttl||Time until the entity is invalid beginning from first seen, and aging by last seen (time to live)|
|lastSeen||Last time the entity was detected.|
|Type||The type of the entity (system or user)|
There is a default query when you open the tab, and you can change the settings in the left section. These are the available visualization options of the graph:
|Relationships||Choose to display Incoming or Outgoing associations or both.|
|Limit||Set the number of nodes you want to show.|
|Impact||Filter by impact (1 to 100) applying the operations to get the required results.|
Choose an entity type (system or user) and property (between the available ones), then enter a specific value in the text field to filter by and click the + button. Keep adding the required values and click this buttonto apply all the specified filters.
Nodes that show a + icon have incoming or outcoming relationships that are hidden by default. You can show the node relationships by right-clicking the + icon, then selecting Expand Incoming or Expand Outgoing.
Increase the sighting count of an entity
The sighting count of an entity indicates the number of times that entity has appeared in an investigation. This count can be manually increased by a user after filtering alerts. To do it, click the required entity in the top part of an alerts group. You will see a window that displays the number of times that entity has appeared in an investigation, as well as the first and last time it appeared. Click Submit to sighting now to increase the count by 1.
Note that this action cannot be undone.