Signal Analytics

  • Updated
In this article:

    Visualization of signals using graph helps you investigate:

    • the type of signals optimized/correlated,
    • from what log source type (for example, DNS server) the signal is originated,
    • from which IP address/device and network user the signal is detected,
    • for which MITRE tactics and techniques, the signal is linked,

    and determine the need to act on any situation or suspicious activity detected from logs that are ingesting in your network data. Also, you can do risk analysis of your IT infrastructure by exploring signals in Graph.

    Roles and Permissions Required

    • Global Admin
    • Account Owner

    To explore more on signals in graph, navigate to Security --> Signal Analytics from the left navigational menu. You can name your exploration and save the graph signals that you have explored for future use in the UI.

    UI elements in a Graph

    Date Selector: allows you to customize your data selection based on the following timelines. By default, dates are adjusted to show 3000 signals.

    • Last 3 months: displays the signals in the past 3 months
    • Last 1 month: displays the signals in the past 1 month
    • Last 7 days: displays the signals in the past 7 days
    • Last 24 Hours: displays the signals in the past 24 hours

    Layout: means that a readable and understandable format of the graph. Based on the individual preferences, you may choose any of the layout from the below list to understand how different nodes are connected and what is deduced from the graph. These are 

    • Standard: The default force-directed graph layout which tries to keep link lengths consistent.
    • Structural: places nodes which are structurally similar together in the network.
    • Lens: places the node in a circle-like grid, with connected nodes next to each other.

    ML Tool kit: This tool kit enables you to cluster by

    • Similar signals: Same signals cluster together and form different clusters based on their nearest mean (cluster center or cluster centroid) and each cluster center serves as a prototype cluster. For more details on Clustering refer this documentation.
    • Mitre Tactic: To know more details, refer this documentation.
    • Mitre Technique: To know more details, refer this documentation.
    • Log Source Type: includes zeek, EDR, office 365 etc.
    • ActOn: To know more details, refer this documentation.
    • MITRE Attack Matrix: To know more details, refer this documentation.
    • Time Series Analysis: Forecast signals based on their discrete time of generation from the source.
      • In Time Series Analysis, you can analyze the following components.
        • Trend: Signal trend across a time series graph is the general direction of movement exhibited by the data points over time.
        • Outlier: Signal outliers across a time series graph are data points that deviate significantly from the expected pattern or trend, indicating unusual behavior or measurement errors.
        • Change Points: Signal change points across a time series graph refer to the points in time where there is a significant change or shift in the underlying pattern or behavior of the data.
        • Motifs: Signals motifs across a time series graph are recurring patterns or shapes observed within the data that occur at regular intervals.
        • Forecasting: predicts the upcoming signals in a graph across multiple time intervals.

    Graph Timeline: When you click the play button provided in the timeline, it filters the signals based on their arrival time (timestamp)

    Navigator: Click on Picture3.png button to enable a small screen inside the white canvas of graph area so that you can view all nodes by dragging them from one place to another.

    Full Screen: Click on Picture4.png  button to enable the complete view of the graph.

    Curser Mode: Click on Picture5.png button to navigate and interact with each node in a graph. You can hide and remove link between 2 signals and connect ends of one signal to another.

    Drag Mode: Click on Picture6.png button to enable dragging of entire graph from one place to another within the white canvas area.

    Zoom In: Click on Picture7.png button to maximize the view of a particular node(s) within the graph area.

    Zoom Out: Click on Picture8.pngbutton to minimize view of the entire graph within the white canvas area of the graph.

    Histogram: enables you to segregate your network data based on the following filters.

    • Log Source
    • Network Email From
    • Attack Techniques
    • Attack Tactics
    • Log Source Type
    • Principal Host Name
    • Target User ID
    • Product Event Type
    • Security Result Actions
    • ActOn ID
    • Target Process File Full Path
    • Security Result Threat name
    • Target Host Name
    • Event Network Email To

    Signal: Click on any signal that is optimized by clustering algorithm in the graph directs you to Signals tab where you can click on Further Analysis that redirects you to Chronicle UI where you can analyze raw data event logs to know more details about a signal. If the signal generates any situation, then Jump to ActOn button is enabled under Signals tab.

    Picture10.png

    The following image shows the correlation of duplicated signals by clustering algorithm.

    Picture9.png

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.