Perform Evidence & Entities Investigations (part 2)



To read part 1 please click here 


Investigate a User Account

You can easily identify the user accounts with the most active alerts (displayed on the dashboard as "Users at risk") and investigate the cases of potentially compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between the devices with that user account.

You can find user account information in the following views:

  • Dashboard
  • Alert queue
  • Device details page

A clickable user account link is available in these views, which will take you to the user account details page where more details about the user account are shown and when you investigate a user account entity, you will see:

User details

The User details pane on left provides information about the user, like the related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and log-on types. The Azure ATP alert sections contains a link that will take you to the Azure ATP page if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.

Overview

The Overview tab shows the incident details and a list of the devices the user has logged on to. You can also expand these to see the details of the log-on events for each device.

Alerts

The Alerts tab provides a list of the alerts that are associated with the user account which is a filtered view of the Alert queue and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.

Observed in organization

This tab allows you to specify a date range to see a list of the devices where this user was observed logged on to, the most frequent and the least logged on user account for each of these devices, and the total observed users on each device. By selecting an item on the Observed in organization table, you will expand the item, revealing more details about the device while directly selecting a link within a item will send you to the corresponding page. 

Investigate an IP Address

you can keep in check the possible communication between your devices and external Internet Protocol (IP) addresses while simultaneously identifying all the devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of the breach, associated files, and infected devices. You can find information from the following sections in the IP address view:

  • IP Worldwide and Reverse DNS names- The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS.

  • Alerts related to this IP- The alerts related to this IP section provides a list of the alerts that are associated with the IP.

  • IP in organization- The IP in the organization section provides details on the prevalence of the IP address in the organization.

  • Prevalence- The prevalence section displays how many devices have connected to this IP address and when the IP was the first and the last seen. You can also filter the results of this section by time period; the default period is 30 days. 

Investigate a Domain

You can easily investigate a domain to see if the devices and the servers in your enterprise network have been communicating with a known malicious domain by using the search feature or by clicking on a domain link from the Device timeline. You can see the information from the following sections in the URL view:
  • URL details, Contacts, Nameservers
  • Alerts related to this URL
  • URL in organization
  • Most recent observed devices with URL

URL worldwide

The URL worldwide section lists the URL, a link to further details, the number of related open incidents, and the number of active alerts.

Incident

The incident card displays a bar chart of all the active alerts in incidents over the past 180 days. 

Prevalence

This card provides details of the URLs prevalence within the organization over a specified period of time. and although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available for prevalence is over the past day, while the longest range is over the past six months.

Alerts

This tab provides a list of the alerts that are associated with the URL while the table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more. 

Observed in organization

This tab provides a chronological view of the events and the associated alerts observed on the URL while including the timeline and a customizable table listing the event details such as, the time, device, and a brief description of what happened. Investigate a domain:
  1. Select URL from the Search bar drop-down menu.
  2. Enter the URL in the Search field. 
  3. Select the search icon or press Enter. The details about the URL are displayed. Search results will only be returned for the URLs observed in the communications from the devices in the organization. 
  4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all the devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
  5. Selecting any of the device names will take you to that device's view, where you can continue to investigate reported alerts, behaviors, and events.   



To read part 1 please click here 




Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)