Security analysts are always looking for ways to speed up the investigation process.
With alerts streaming into the SOC continuously saving a minute here and there can make a big difference. Here at Siemplify we are keenly aware of this desire to make investigations faster and have developed a flexible platform designed to do just that. If you are familiar with the Siemplify Platform than you know that it was built by analysts, for analysts. This means that every screen, button, and capability has been precisely designed with the analysts in mind. One of the coolest ways analyst can save time in the Siemplify Platform is by using the explorer view to complete an investigation.
Understanding how alerts relate to one another is a critical component of improving analyst efficiency. In the past to see this linkage analysts would have to switch from product to product do loads of manual research and hope that a relationship existed. This process has the exact opposite effect on productivity, making investigations slower. The good news is that today with the Siemplify Platform this alert relationship is identified automatically, so immediately analysts are saving time. Using patented technology Siemplify can ingest alerts from any security control (typically a SIEM but could be any other alerting system) and identify shared entities. Once identified Siemplify then constructs a case that groups all of these related alerts, drastically decreasing the need to complete individual alert investigations. But that is just the behind the scenes story, we are here to talk about how you can save some serious time using the Explore view, let’s get to it.
The Explorer view of the Siemplify Platform is a graphical representation of how all the alerts that are part of a case are related. For example let’s look at a at a very common SOC investigation type, brute force attempt, and how an analyst can complete his or her entire investigation from the single view.
To begin we first access the case screen in the Siemplify Platform
We are going to look at the case called “Failed Login”. By highlighting the case, the overview section in the middle of the screen is activated with all the alerts, insights, and playbooks that were automatically associated with this case. As an analyst I can certainly use this screen to complete the investigation, and frankly many analyst do just that. However if you prefer a visual view of the case you can click the blue button in the top right of the screen to open the explorer view, let's do that now.
Once opened we get an entity relationship view of the case. On the far right of the screen we can see all the alerts that are part of the case and the sequence in which they occured. The middle of the screen shows the entities associated with the alerts. If you click on any of the icons you will see the Context Details section of the screen on the right activate, showing all the insights automatically generated for that entity. One of the coolest features of this screen is the ability to playback the sequence of events. When you click on the play button at the bottom of the screen you can see the events as they occured in relation to one another. In this example by reviewing the alerts visually and playing the sequence it is fairly clear that some sort of coordinated attack occurred. As an analysts you can get this this point in the investigation quickly, with just a few clicks and without leaving this screen.
Now let’s say that you as the analyst want to gather more information about any of these entities or take an immediate action, not a problem. If you focus in on the Context Details section of the screen you will see this small icon of a wrench and screwdriver. By clicking on this button you will open the manual action screen.
This manual action screen give the analyst the ability to interact with any of the security controls in their environment and take decisive action. So, for example, if we determine this user account has in fact been compromised we can instruct ActiveDirectory to disable the account. When the analysts click “execute” the Siemplify integration takes over, delivering the instruction to ActiveDirectory. At this point the analyst can carry out additional actions or simply return to the case screen can click the “close case” icon at the top of the case screen, simple as that.
Will the explorer view be the best way to complete every investigation? Well that is really up to you as the analyst, but the point here is make sure you understand that when it comes to completing investigations in Siemplify you have options to help you improve your efficiency.
For more information about the explorer view or any other features of the Siemplify Platform contact us and request a demo today