In some cases, it is best to inform the customer immediately about the incident. In other cases, it is best to gather further information before taking action on the detection.
Before detections arrive in the portal, they have been thoroughly analyzed by multiple behavioral algorithms and combined via artificial intelligence into broad context detections – series of interconnected events that might seem otherwise independent. You need to investigate these detections and decide how to proceed.
Follow these instructions when investigating detections:
-
- Select the Detections tab.
The Detections view contains all broad context detections that have been found.
-
- Select the broad context detection that you want to investigate from the list.
If you think that you might have identified a potential attack, assess the level of risk it poses.
-
- Check the risk level score, confidence, and criticality of the detection to decide whether it is something you should act on.
Each detection has a risk level score that represents the estimated impact of the detection in the customer environment.
-
- View similar detections that have similar properties to check how they have been handled previously.
Similar detections can help you to gather information about detections and how they may be connected. You can select the name of a similar detection from the list to view information of it.
-
- Check the Process tree to find out how an attacker has tried to can gain unauthorized access to the network.
The Process tree shows which processes are connected to the detection and what those processes have done. Select the double caret icon to view more detailed information and analysis of the specific activity. The detailed information view shows the host name, user, command line command, the full file path of the application, and SHA1 checksum for the file and the parent. The analysis shows the process category and the activities that the application has performed.
Note: If you want to investigate the incident even further, Event Search provides more detailed telemetry data of Broad Context Detections.
- Check the Log view to view an event by event list what has happened.
Tip: Select the comment icon to read and write comments as you investigate the incident.
- Based on your investigation, determine which hosts have been used for the attack and which are most likely the focus of the attack and whether those hosts should be isolated from the network until the incident has been resolved.
As you handle the incident with your customer, do not forget to update its status. After the incident has been properly handled, remember to close it.