Security ActOns consist of the following tabs and each tab gives you unique way of handling incoming threats.
- Situation Analysis: Situation-based risk analysis facilitates understanding and response to system vulnerabilities at technical, business, and strategic levels. Impact analysis evaluates if a Situation is relevant, probable, and linked to business, organizational, and strategic objectives.
Situation Analysis consists of the following components:
-
- Likelihood: Determines the threat events and exposure of concern result in adverse impacts based on the behavior of the MITRE tactics. The greater the detection of tactics, the higher the score will be. The detection of MITRE tactics is shown in the inverted bar chart and is denoted by the blue color on the right of your likelihood score. The likelihood score is more severe when detections increase on the right side of the inverted bar chart.
- Impact: Determines the damage that occurs to the asset due to the threat of concern. The higher the impact score, the more critical the asset will be.
- Confidence: Determines the accuracy of signals that come from the source systems based on the rules set up in the Chronicle Content Management System. The higher the score, the more the confidence score will be.
How the above components are part of quantifying the risk and how these are associated with an ActOn. Refer to this article for more information.
- Impacted Functions: This tab shows the list of functions that are associated with the ActOn. In this tab, you can filter the listed functions by
- Entities & Evidences: Entities are the assets or domain names that encounter a single or multiple MITRE attack detection tactics and techniques.
Our Security ActOns enable you to add a reference list to the different entities where you can leverage the rules that are defined in the Chronicle CMS.
To add an entity to the reference list,
- In the Entities & Evidence tab, click Add to List (+)under the reference list column.
A new window opens. - Check the required list to add the asset.
- Click Update.
Evidence is the proof (a malicious domain or a file) that triggers the signals from the integrated systems and sources. Evidence provides you with information on the malicious signals that are triggered due to threat attacks from the external environment.
- Detections: These are generated due to the rules defined in the Chronicle CMS that allow similar multiple signals to be correlated and merged as a single situation.
Different types of detections that belong to the various MITRE tactics and techniques are shown in the detection tab. Initial detections linked to an ActOn are marked as primary next to the detection, and these primary detections cannot be delinked from the detection tab. To view the linked signals of an ActOn in a visual representation and perform analysis, click View in Signal Analytics.
Delinking a signal from an ActOn
Use this procedure to delink a signal to an ActOn. Note that you cannot delink the primary signals.
-
Click on a security ActOn. This displays different tabs.
-
Click the Detections tab to see the primary and secondary signals associated with the ActOn.
-
Click on the kebab menu corresponding to an ActOn and select Delink Signal. This opens the Delink Signal from ActOn side panel.
-
Select the reason. Possible values:
- Create Domain-Specific ActOn: Create an ActOn specific to the domain.
- Signal Got Self-Healed: The issue that triggered the signal got self-healed without any intervention from the SOC team.
- Unrelated Signal: Signals were correlated based on matching rules, but their intended correlation was inaccurate.
- Signal Can Be Ignored: Delink signals lacking suspicious characteristics.
- Others: Any other reasons not covered by the previous options. Selecting this will display a text field where you can specify the exact reason for delinking this signal from the current ActOn.
-
Select Link to New ActOn or Link to an Existing ActOn. If you want to link the signal to an existing ActOn, this shows the list of ActOns that are already created.
-
Select the radio button corresponding to the ActOn to which you want to link the signal. To find the specific ActOn to which you want to link, you can either search by ActOn ID or Title in the search box.
-
Click Submit.
Marking a signal as Root cause signal
Use this procedure to mark or unmark the signal as the root cause signal. These root cause signals are the ones that are responsible for the formation of an ActOn.
-
Click on a security ActOn. This displays different tabs.
-
Click the Detections tab to see the primary and secondary signals associated with the ActOn.
-
Click on the kebab menu corresponding to an ActOn and select Mark as Root Cause.
- Detection Timeline: The timeline enables you to know when the first detection occurred, followed by the other detections. Also, the timeline shows the Situation activities, like severity level and status.
- Event Timeline: This timeline shows the multiple events that are generated from the source at different times and the severity of the events (Low, Medium, High, and Critical Risk).
- Graph: shows the relationship among the assets, classifications, sub-classifications, signals and MITRE tactics & techniques.
- Escalations: Escalations provide details such as the primary on-call responder, the type of functions involved, and the status of the escalation policies that are linked to an ActOn. For more information on escalations, refer to this article.
-
Activity: The activity allows you to add notes and check the activities performed by the user on this ActOn.
-
Notes: Notes are the comments given by the users who are involved in remediating the ActOn. You can always use the copy-to-clipboard option to copy the notes. The notes are classified as:
- Work Notes: These comments are visible to an external audience. By default, these are synced to external ITSM and SOAR platforms.
- Internal Notes: These comments are visible to company-specific users only and are not synced to external ITSM and SOAR platforms.
- Resolution Notes: These comments are updated when an ActOn is resolved. External ITSM or SOAR platforms have to be updated in their resolution notes, and their status has to be changed to resolved.
-
Notes: Notes are the comments given by the users who are involved in remediating the ActOn. You can always use the copy-to-clipboard option to copy the notes. The notes are classified as:
Creating Notes
You can create your notes by using the types described above.
To create Notes,
-
- Under the Activity tab, click Notes.
- Select the type of note you want to post from the drop-down menu. Possible values:
- Work Note
- Internal Note
- Resolution Note
- Select a predefined template or enter your comments and the time spent on the ActOn in minutes or hours.
- Click Post.
You can access the 'All Notes' drop-down menu, which allows you to filter notes by type, such as Work Note, Internal Note, or Resolution Note. Select the check boxes corresponding to the note types you want to view.
Viewing the history
To view history,
1. Under the Activity tab, click History. This shows the activities performed by the user on this particular ActOn.
2. Review this information:
Message: The message states the activity performed.
User: The user who performed the activity.
Activity Time: The timestamp of the activity.
There is manage columns button using which you can change the order of the columns or select the columns you want to view.
-
ActOn Analyzer: Assesses your questions specific to an ActOn and provides you with relevant answers like summary, notes, user details, correlated signals, impacted asset details, etc. to mitigate an ActOn.
- Available options on ActOn analyzer include:
- Copy to Clipboard: Allows you to quickly copy AI-generated responses to your clipboard for easy pasting and sharing.
- Start Again: Clears the entire chat session, enabling you to start a new session with a fresh query box.
- Delete Option: Enables you to delete a specific response from the chat by clicking the delete icon next to the response.
- Thumbs Up/Thumbs Down: Provides a way to give feedback on each AI-generated response, indicating whether you are satisfied or not satisfied with the answers received.
- Available options on ActOn analyzer include:
- Analysis Log: The analysis log collects the activities that occur as a result of resolving Situations when a malicious threat is detected in the integration systems. For example, check IP details, determine protocol names, and determine service names.
The analysis log allows you to create a new log or edit the existing logs in the table.
To create a log(s),
- On the Analysis logs page, click icon.
The Create Task window appears. - Enter a Name for the task
- (Optional) Add Description
- (Optional) Under the Assign to field, assign a user to a task from the drop-down menu.
- (Optional) In the Category field, select a category to which the task belongs.
- (Optional) In the Start date and Due date fields, select the date and time when a task is closed.
- In the Task dependency, select any of the following:
- No: This task is not dependent on other tasks in the Analysis log.
- Yes: This task is dependent on the other tasks that are available in the Analysis log. You can link any task to the other tasks here.
Comments
0 comments
Please sign in to leave a comment.