Event details (executions, recommendations & comments)
Details of an event
Each event has a page that specifies all its descriptive elements. This page is also used to enter the event's detection information.
This sketch cannot currently be displayed in exports
Hint: The up and down arrows next to the event name allow you to navigate directly from one event to another without returning to the list.
Event details (section 1)
This panel gathers the information to facilitate the understanding of the event and to conduct investigations:
- Description of the action executed
- Correlations with MITRE ATT&CK (Tactic and Technique)
- Event type
- Event severity
- IOCs related to the event (such as IP address, account name, file name and/or hash, etc.)
Qualification of detection and reaction to the event (section 2)
The left area gives technical information about the event execution:
- Source and targets IP addresses
- Start and end date and time of execution
You can then add information to qualify detection associated with this event, using the Add detection status button.
The default status assigned is
Unqualified. 3 other statuses are possible: Undetected, Logged and Alerted.Hint: Refer to the following section for an explanation of possible statuses for events
According to the declared status, various fields are available to add additional information:
- Source(s) that allowed the detection of the event
- Date and time of detection
- Upload of detection evidence (e.g. screenshot of an interface, an email or a log file)
For events with an
Alerted detection status, you can then provide the engaged reaction with the Add reaction button.- Action taken or final status
- Date and time
- Upload of reaction evidence
The TTD (Time To Detect) and TTR (Time To React) of the event are automatically calculated from the date and time provided.
Detection and Reaction information are used for the campaign KPI presented in the
Synthesis page: campaign cyber score, detection rate, list of the most active sources, etc. Qualifying all events allows for having complete results and thus better evaluating the effectiveness of defense means. The status is the criterion with the most impact on the score calculation.
You can change Detection and Reaction information using the Edit button in each section.
This sketch cannot currently be displayed in exports
Enhancing detection
To improve detection capabilities, a Sigma rule may be provided with most events executed at the operating system level. This rule provided by our CERT allows to complement the configuration of existing tools (such as EDR, SIEM...) if the event has not been detected.
- The rule can be copied and/or downloaded to be integrated into defense tools.
- The detection rules may need to be adapted depending on the tool you are using. It is also important to validate the requirements defined by the rule in order to be able to use it.
Comments
The last tab allows for exchanging messages regarding the event processing.
Each user can write comments, as well as modify or delete the messages they have posted.