In this article, we're going to take a look at Incidents, beginning with a quick overview.
What are Incidents and how do they work? It is important to know that incidents are a set of correlated alerts. Interceptor automatically correlates alerts into incidents, in order to reduce the workload for analysts.
Cyberattacks are not happening over the course of a single alert
Cyberattacks involve many different techniques! When these exploitations occur, Interceptor provides different alerts at every stage of an attack and then correlates them together in an effort to provide more context on what is happening in your network.
For example, to gain initial access an attacker might use a brute force attack on a remote desktop protocol server, where they can then move laterally to deploy malware, using unprotected Windows shares, to call its command and control server. This malware will establish an HTTP reverse tunnel to an IP address that has never before been observed in the network. An example of an incident with high diversity of artifacts is shown below:
Another example of an incident with a low diversity of artifacts can be seen in this next screenshot. In this case, every artifact type (Source IP, destination IP, alert policy and domain) has only one distinct value:
Another good indication of a malicious incident would be MITRE Matrix view. This can be found in the top-right corner of the incident view. This view provides details of the incident investigation depending on the severity of the incident. For example, the severity of an incident is impacted by the number of distinct MITRE techniques and the more techniques that belong to an incident, the higher the severity.
Two examples of MITRE ATT&CK matrix can be seen here:
To access Incidents, go to the Cybersecurity ▶ Incidents window.
Setting the Reporting Period
You can set the reporting period from the Time Range menu, as shown below:
Viewing Details for an Incident
If you hover over an incident or click in the row, from the table with that same information, details of the incident will be displayed. This information will indicate the following specific details for an incident:
- Severity Index
- Current Status
- Number of Alerts
- Created, Last modified and Time of Last Alert
To modify the name of the incident, click the pencil icon, next to the default incident name in the top-left corner.
Incidents are categorized as follows:
- 0-3 Low severity (green)
- 3-5 Medium severity (yellow)
- 5-7 High severity (orange)
- 7+ Critical severity (red)
Investigating an Incident
You can also click Investigate to show more information relating to an incident. This information includes details such as when the incident was created, the time the last alert was detected within the incident, and when the incidnt was last modified. Last modified represents the last time a user modified the incident, such as changing the status of a incident from New to In progress.
To change the incident status, select an incident and click the drop-down Status menu to choose the desired value. Incidents have the following statuses
- In Progress
Once you change an incident from New to In progress, it cannot be switched back to New. If, however, an incident is Closed it can be re-opened. Likewise, if an incident is Resolved or Closed it can't be switched back to new.
Note: Alerts cannot be added to Incidents that are in Closed, Resolved or In-progress state.
Defining Closed and Resolved Incidents
A Closed status indicates that the incident did not require remediation and was closed because it was determined that there was no real threat. Any new alert that comes in after an incident is closed, will be a opened as a new incident.
A Resolved status means that the incident was malicious and required and received remediation procedures. This is an incident that has been fixed.
Filtering and Data Copying
To filter alerts in the incident, you can click any of the cells in the Alerts table. This will allow you to add the value of the cell to the action bar and then click FILTER ICON or CROSSED FILTER ICON to add them to the filter. When adding the alert to the filter, you can choose Include or Exclude to have the alerts included or excluded respectively.
To copy the value of the cell, simply click the COPY ICON.
Working with Incident Alerts
If you want to see all events of an Incident in the Alerts tab, click the following button:
This will redirect you to the Alerts tab with a filter pre-set that includes the incident ID.
For more information on how to work with Alerts you can read the Detection article here.
Distribution Settings and Correlation
You can change the way the columns are displayed in the Distribution with correlation window, which is located in the distribution settings. The values that can be shown or hidden are:
- Source IP
- Destination IP
- Alert Policy
- Paired IP addresses
From here, you can also adjust column width and set text to Small, Medium, Large or Fit.
The Fit option automatically sizes the display to fit perfectly in the screen and avoids truncated information.
You can also move values around or click on a value to use filters to include or exclude these values from the view of alerts.
Top Detected Techniques
Click in the right panel to see Top Detected Techniques, which will give you a breakdown of all of the alerts in the incident by MITRE matrix techniques.
To see all alerts belonging to a specific technique, click on the specific key Mitre Matrix. This will provide you with another view that hackers can use to attack an environment.
Comments and Status Section
You can see the history of an incident status and add comments on the investigation in the Comment and Status section. This is a useful tool to track changes in status and view a log of comments.
© 2022 Accedian Networks Inc. All rights reserved. ®, Accedian Networks®, the Accedian logo™, Skylight™, Skylight Interceptor™ and per-packet intel™, are trademarks or registered trademarks of Accedian Networks Inc. To view a list of Accedian trademarks visit: http://accedian.com/legal/trademarks/.