Security ActOns consist of the following tabs and each tab gives you unique way of handling the incoming threats.
- Situation Analysis: Situation-based risk analysis facilitates understanding and response to system vulnerabilities at technical, business, and strategic levels. Impact analysis evaluates if a Situation is relevant, probable, and linked to the business/organizational and strategic objectives.
Situation Analysis consists of the following categories.
- Likelihood: Determines the threat events and exposure of concern result in adverse impacts based on the behavior of the MITRE tactics. The more the detection of tactics, the higher the score will be. Detection of MITRE tactics is shown in the inverted bar chart and is denoted by the blue color on the right of your likelihood score. The likelihood score is more severe when detections increase on the right side of the inverted bar chart.
- Impact: Determines the damage that occurs to the asset due to the threat of concern. The higher the impact score, the more critical the asset will be.
- Confidence: Determines the accuracy of signals that come from the source systems based on the rules set up in the Chronicle Content Management System. The higher the score, the more the confidence score will be.
- Entities & Evidence: Entities are the assets or domain names that encounter a single or multiple MITRE attack detection tactics and techniques.
Our Security ActOns enables you to add a reference list to the different entities where you can leverage the rules that are defined in the Chronicle CMS.
To add an entity to the reference list,
- In the Entities & Evidence tab, click Add to List (+)under the reference list column. A new window appears.
- Check mark the required list to add the asset.
- Click Update.
Evidence is the proof (malicious domain or a file) that triggers the signals from the integrated systems and sources. Evidence provides you to know the malicious signals that are triggered due to threat attacks from the external environment.
- Detections: These are generated due to the rules defined in the Chronicle CMS that allows similar multiple signals to be correlated and merged as a single situation.
Different type of detections that belongs to the various MITRE tactics and techniques are shown in the detection tab. Primary detections are denoted by a blue dot and these primary detections cannot be delinked from the detection tab.
- Detection Timeline: Timeline enables you to know when the first detection occurred and followed by the other detections. Also, the timeline shows the situation activities like severity level and status.
- Event Timeline: This timeline shows the multiple events that are generated from the source at different times and the severity of the events (Low, Medium, High, and Critical Risk).
- Graph: shows the relationship among the assets, classifications, sub-classifications, signals and MITRE tactics & techniques. For more information on Graph UI, visit here.
- Analysis Log: Analysis log collects the activities that are occurred as a result of resolving the situations when a malicious threat detected in the integration systems. For example, check IP details, determine protocol names, and determine service names.
Analysis log allows you to edit the logs that are listed in the table. To edit the logs,
- Click on any one of the logs. Edit Task window appears on the screen.
- Change the Category from the dropdown list.
- Add Comments (Optional).
- Click Enter.
Please sign in to leave a comment.