Analyzing incidents to understand attacks

  1. Choose the Agent Logs menu.
    The full list of logs from all agents appears.
  2. Click on the small arrow to the left of the Incident log to open it. The log contains lines of standard logs. For further information on how to read standard logs, refer to the section Viewing and managing agent logs in the administration console.
  3. Click on Incident icon to the right of the incident to display the detailed view of the incident. This view consists of three sections:
    • Attack chart: represents the attack launched on the agent in the form of a graph. It shows all the processes involved in the incident and how processes are linked to one another.
    • Context logs: lists all the logs of events surrounding the attack. The Alerts only button is enabled by default and only alerts are shown. Click on the button to show context logs as well.
    • Information or Raw logs view: additional information about the item selected in the graph. Raw logs are generated in JSON format.
  4. When the view is opened, the attack chart highlights with a small blue shield the item that was attacked. Click on the processes that come before it (i.e., parent processes) and read the related information in the right pane. The Hash is particularly useful in checking whether this process was already identified as malicious in the database of known malware.
    A red struck-through seal on a process means that it was not signed by a digital signature certificate when it was compiled.
  5. EXAMPLE
    In our example, several indicators show that the first process is suspicious:
    • There is a red seal on its icon, meaning that the process is not signed,
    • Its Name was randomly generated,
    • It was executed by Winword, which does not usually execute such processes,
    • Its Path C:\Users\abott\AppData\Local\Temp shows that it was run in a temporary folder.
  6. Depending on the agent group configuration, the detailed context may not appear automatically. If you need more context, click on Request more details so that the agent will report all information to the agent handler. For further information on configuration, refer to the section Configuring detailed incidents generated by agents.
  7. To search for context logs, enter your character string in the Search field. The search syntax is as follows:
    Search syntax help
  8. Searches will cover context logs.

    Only logs that match the search will remain displayed in the list. Searches have no impact on the attack chart.

    EXAMPLE

    In our example, the command line of the WINWORD.exe process indicates that a file invoice.doc was created. Searching for the string invoice.doc "file creation" will display all logs that include these terms and also reveal that chrome.exe created this file.

  9. If you have identified a log that may help you understand the attack, pin it to the chart by clicking on Pin icon. This log will be added to the chart as a new event, and modifies the chart as a result.

    To list only logs that match items in the chart, click on Pinned only.
  10. EXAMPLE

    In our example, if you pin the log that mentions the creation of the invoice.doc file, you can understand how the attack was performed: the malware was launched on the workstation by an infected Word document (invoice.doc) that the user downloaded via Chrome and opened. It was a phishing attempt blocked by SES Evolution.Search of the invoice.doc string in incidents

  11. To examine a specific part of the chart more closely, move your mouse and zoom using the buttons at the bottom right of the chart. You can also use the left button on the mouse together with the scroll wheel.
  12. Since identical processes are grouped by default, disable Group events at the top on the right to deploy items and analyze them individually.
  13. Once you have completed your analysis, click on the back arrow at the top on the left to return to the standard log panel. All your changes will be saved and appear the next time you open the incidents view.