Threats Analysis
Based on the events collected by Endpoints, when Threats are detected by the Threats detection engine, you can view Threats details in the Web Console.
The information you can check in Analysis > Overview is as follows.
| Item | Description |
|---|---|
| Threats Status | New: Number of newly detected threats. In Process: The number of Threats the person in charge is reviewing by clicking the 'take me' button in Management. Resolved: The number of completion of Threats determination (Malicious/Safe/Hold) by the person in charge by clicking the 'I'm in charge' button in Management. The Resolved number is only displayed when Include Resolved Threats is selected. |
| Endpoints Status | UP: The number of endpoints in operation (UP) among endpoints where the agent is installed. DOWN: The number of endpoints that are in a down state among endpoints where the agent is installed. Deleted: Number of Endpoints for which the agent was deleted. Quarantined: Number of Endpoints that are in Network Blocked (Quarantine) status. Even if Endpoints are Blocked (Quarantine) status, they can communicate with Insights server. |
| New Threats | Displays the latest 5 Threats occurrence information (yellow background if within 1 hour) |
| Show Threats Settings | Include Resolved Threats: Set whether to display including threats that have been checked by Users when detecting threats. Search Date: Search Threats from at least today to up to 1 month. The date search range is as follows. ex) If the current time is 2021-06-06 13:00 Today:2021-06-06 00:00 ~2021-06-06 23:59 Yesterday:2021-06-05 00:00 ~2021-06-05 23:59 This week:2021-06-04 00:00 ~2021-06-10 23:59 Last week:2021-05-28 00:00 ~2021-06-03 23:59 Day 1 :2021-06-05 00:00 ~2021-06-06 23:59 1 week :2021-05-30 00:00 ~2021-06-06 23:59 1 month :2021-05-06 00:00 ~2021-06-06 23:59 Print : Prints the Overview screen. Auto Refresh: The Overview screen is refreshed every minute. Full Screen View: Displays the Overview screen in full screen. |
| Threats Statistics-Recent Threats Status | Total Threats: The number of detections for all items of file/process (IOC, machine learning, YARA), malicious IP, and batch detection. Infection: Threats The number of detections for files/processes (IOC, machine learning, YARA, batch detection). Malicious IP: The number of detected information registered as malicious IP. Abnormal behavior: The number of threats detected by the Abnormal behavior policy. Batch: The number of detected batches. Batch detection means that when the IOC DB is updated after the agent sends PC information, it is collected for a certain period of time (default: 3 days). It serves to check information and analyze whether there are newly updated threats. (Performed every day at 02:00, ends within 06:00) The number of detections varies depending on whether resolved threats are included or not. |
| Top 10 malware distributed across multiple endpoints | A list is displayed based on the MD5 of the malicious code, and the number box indicates the number of terminals where the malicious code occurred. |
| Top 10 Abnormal Behaviors accurring in multiple endpoints | A list is displayed based on the anomalous behavior policy, and the number box indicates the number of devices that have detected the aberrant behavior policy. |
| Top 10 endpoints with multiple threats | Displays the number of Threats (Malware + Abnormal Behavior) detected by authenticated user name/host name/IP/department name. When you click the Settings icon, you can select the display criteria. When detecting, the color of the background of the number changes depending on the number. (8 pieces or less - light color, more than 8 pieces - dark color) |
| Threats classifications | If there is more than one detected threat type (IOC, CTI, ML, MaliciosIP, YARA, by anomaly classification), the Threats occurrence rate is displayed. |
| Event Generation Trend | Based on the endpoint2 index, it graphs the average event occurrence today, yesterday, and weekly. |
| Interesting Tags | Display the tag information written to the endpoint2 index. (indicated in order of infrequent occurrence, max. 25) When clicking a tag, it moves to the Event Search list and displays the list of events that the tag has occurred based on the search date that was set on the Overview screen. |
| custom tags | Users can create and set a tag for a specific event, and information about the tag set by the user is displayed. |
Threats detection information
On the Threats Analysis detail page, you can check detailed analysis information of Threats, process a threat response, collect samples, and check information required for analysis.
| Item | Description |
|---|---|
| filename | Displays the process OR file name detected as Threats. Displays the final detection time, detection classification/detection detailed classification, and tag information. |
| Print Icon | Provides the ability to print the detailed information screen. |
| Management(new) | ThreatsSystem- Provides the ability for users to respond differently after checking when a threat is detected, or to handle an exception so that it is not detected next in case of a false positive. |
Basic Information
The Basic Information page displays information about detected threats and file information, MD5 hash of malicious files, or external links that allow searching whether IP information is a known file.
| Item | Description |
|---|---|
| Indicators | Displays the engine type that detected the Threats and Threats information. |
| Threats Information | Processes performed: Threats Displays detected process information. Threats classification (displayed only in case of malicious code): Displays the predefined types of malicious code through IOC DB or file reputation inquiry. Adware, Backdoor, Browser, Dialer, Downloader, Exploit, Hacktool, Infostealer, Keylogger, Malware, Network, PUA, Packed, Ransomware, Rogue, Rootkit, Spyware, Trojan, Virus, Worm Threats name (displayed only in case of malicious code): Displays the threat name. Sample type (displayed only in case of malicious code): Displays the sample type. Events: Threats displays the types of events detected. (file, process, network, module) Summary: Displays information about predefined malicious codes and abnormal behaviors. MITER ATT&CK: If there is predefined MITER ATT&CK information when detected by abnormal behavior, it is displayed, and when clicked, it connects to an external link where you can check related information. |
| Management information | Threats verdict: Information classified by users as malicious (malicious, safe, pending) in Management. Response Policy: This is the information that the user sets the response policy (alarm, process termination, file deletion) when a threat is detected in Management. Processing Status: Displays the Threats processing status (New, Processing, Resolved). Person (ID): Displays the User ID who changed the Threats status in Management. |
| detection time | LOCAL: The time the threat was detected in LOCAL GLOBAL: Visual information on which threats are detected in the reputation inquiry system if the ecosystem is linked when malicious code is detected |
| Malicious File Information | Threats Displays file name, file path, file type, file size, version registered in file attribute value, language, copyright, architecture, executable file type, MD5, SHA-256, and digital signature information for the detected file. (FileMaster index information) |
| External Links | Whether the MD5 hash or IP information of the malicious file is a known file can be searched through an external link. External links can be edited in System > Settings > Properties > External Links. |
Detection information for each device
If the detected threats are detected by multiple devices, you can check the device list in the detection information for each device. Up to 10 endpoints are displayed, and if more endpoints are detected, click the Search All Device Events button to view a list of all endpoints with the corresponding threat.
| Item | Description |
|---|---|
| status | Shows the operational status of Endpoints. |
| IP | Displays IP. |
| Username | If the threat detection terminal is a user authenticated by Genian NAC, the authenticated user name is displayed. |
| hostname | The host name of the Threats detection device is displayed. |
| Response Rule | If you need an immediate response or exception handling for a malicious file or malicious IP, you can set it on the ThreatsSystem screen. |
| Same Threats information by Device | If the same file is detected multiple times, the detection path, detection information, and response result are displayed. |
Analysis Indicators
Analysis indicator displays related Threats indicator, related behavior indicator, similarity indicator, and AI Analysis indicator information.
| Item | Description |
|---|---|
| Associated Threats Indicators | Displays the endpoints where Threats was last detected and all Threats detection information from those endpoints. |
| Associated Behavior Tags | If tag information exists in the event of all processes related to Threats, the corresponding tag is displayed as related behavior indicator information, Click to go to the Event Search list. |
| Similarity | When a suspicious malicious file is detected, whether it is a known malicious file variant is inquired through the Ecosystem, and similarity information is displayed. When the refresh icon is clicked, the latest information is inquired in Ecosystem once more. |
| AI Analysis | With the information detected by ML, it provides an index that predicts the threat classification and threat name of malicious code. Type: Analysis indicators for the types of malware threats (Adware, Trojan, Virus, etc.) Family: Analysis indicator for FamilyName of malware Analysis Perspective: The Perspective That Created AI Indicators |
Attack Story Line
The agent is a process identification number (PID) and Collects PPID (Parent Process Identification Number) information and agent operation time information.
In the attack history line page, the PID, PPID, Device-id, and EventTime information of the process detected as Threats are combined during the time the agent is operating. Based on the Threats process, it displays the parent process of the corresponding process, module information executed by the Threats process, child process information, and connection information of the Threats process.
If the same file is detected on multiple Endpoints, it provides connection information for the last detected (latest) Endpoints.