In this article: |
Once the scan is completed, navigate to the Scans page and choose the relevant scan record. Follow this guide to learn how to set up and start running a scan.
You can use the Demo Investigation that shows the scan results for a Demo Data Plane.
If you'd like to see the results of older scans or results for individual Data Planes, select a scan and then on any tab of a scan select a Tenant and a Data Plane from the dropdowns in the upper left corner.
In the upper right corner, you can see the total number of queries executed during the scan. By clicking the Logs button, you can see which queries ran successfully and which failed, along with their corresponding error messages.
Scan Overview
The Scan Overview page provides the summary results of the selected scan visualized as a spider chart attack surface in terms of MITRE ATT&CK, which indicates the percentage of techniques/sub-techniques for each tactic that had hits with relevant queries in the current investigation.
Suspected Actors – top 3 actors associated with the potential adversary activity in your infrastructure. The number on the left indicates how many out of all techniques/sub-techniques associated with a given actor have hits with relevant queries. Select an actor to see related results or click Examine Details to go to the scan details and see all suspected actors.
Used Tools – top 3 tools associated with the potential adversary activity in your infrastructure. The number on the left indicates how many queries with hits are related to a given tool. Select a tool to see related results or click Examine Details to go to the scan details and see all suspected tools.
Entities at Risk – the number of accounts and assets affected by the potential adversary activity in your infrastructure. We calculate IPs, usernames, and other identifiers based on SHA256 hashes of their unique values, so your data stays private.
Technique Prevalence – top 3 techniques/sub-techniques associated with the potential adversary activity in your infrastructure. The number on the left indicates how many queries with hits are related to a given technique/sub-technique. Select a technique/sub-technique to see related results or click Examine Details to go to the scan details and see all suspected techniques/sub-techniques.
Click Examine Details to go to the scan details and process its results.
Review the log sources identified in your environment on the Log Sources page.
Scan Results
On the Scan Results page, you can review the results of the queries that had hits to verify them and continue your investigation in the affected Data Planes.
Heat Map
Start with the Heat Map at the top of the page that visually represents the query hits over time, categorized by MITRE ATT&CK tactics associated with detected adversary activities:
The color intensity of each cell indicates the number of hits: the closer to red, the more hits related to that specific tactic within the given time period.
You can hover over any cell to display a tooltip showing the exact number of hits for that tactic during the specified time frame.
By default, the scale corresponds to the scan period selected during the scan setup. To change it, select the desired period using the time filter.
This way, you can narrow down the scale to 1 day (to set the period to a single day, click the desired date twice).
To see the queries that had hits during a specific time period on the heat map, click this period. To remove this filter, click the period again.
Filters
Filter by Tools, Actors, and Techniques
Use the filter panel on the left of the heat map to additionally filter the queries with hits.
You can hide and show the panel with the < and > icons.
First select a tab (Suspected Actors, Tools, or Techniques), and then a specific value. This way, you can see queries associated with particular actors, tools, or techniques.
To remove the filter, click the All Actors, All Tools, or All Techniques option.
Additional Filters
Use the search bar, filters and sorting options to narrow the results and prioritize relevant queries:
Log Sources – filter queries by log sources.
Indexes – filter queries by indexes.
Severity – filter queries by severity levels .
Marked As – filter queries by their status.
Authors – filter queries created by specific users.
You can sort results by:
Hit Counts – order queries based on the number of hits.
Severity – order queries by severity level.
Additionally, you can switch between descending and ascending order by clicking the green arrow by the selected sorting option name.
Review Query Details
Review the results of the queries that had hits to verify them and continue your investigation in the affected Data Planes. The queries are sorted in the recommended order that takes into account the global user feedback.
Check the list of queries that hit during your scan.
Query title is accompanied by:
Severity indicated by a color-coded arrow (for the description of each severity status see below):
Dark red – critical
Light red – high
Blue – medium
Green – low
The number of Data Planes for which your team has provided feedback on the query outcome with a tooltip that contains the outcome (for the description of outcome types follow this section).
You can expand and collapse query details with the plus and minus icons on the right. When one query is expanded, all the others are collapsed.
Review the details of each query, including metadata and intelligence:
Author – author of the detection rule used to generate the query.
Released – date the detection rule was released on the SOC Prime Platform.
Severity – describes the criticality of the Sigma rule used to generate the query.
Critical – highly relevant event that indicates an incident. Critical events should be reviewed immediately.
High – relevant event that should trigger an internal alert and requires a prompt review.
Medium – relevant event that should be reviewed manually on a more frequent basis.
Low – notable event but rarely an incident. Low-severity events can be relevant in high numbers or in combination with others. An immediate reaction shouldn't be necessary, but a regular review is recommended.
Category – describes all log files written by a certain group of products, like firewalls or web server logs the query is meant to be run against.
Product – displays all log outputs of a certain product ( e.g. all Windows Eventlog types including Security, System, Application, and the new log types like AppLocker and Windows Defender) the query is meant to be run against.
Event ID – Windows event ID you need to log for the query to work.
Description – explains what the query is intended to detect and in what way.
Hit Rate and Action Loop – stats on the query results from all users who have run the query and provided feedback.
Timeline of the related threat with key stages – hover over a certain item on the timeline to see the references that help you understand the threat context.
Attack Surface – key details for each scanned Data Plane along with the number of hits, and the Action Loop dropdowns to provide feedback on the query outcome in each Data Plane.
False Positives – details on possible false positives or benign activities and how to avoid them backed by AI recommendations.
Triage Recommendations – details on possible ways to validate and investigate suspected malicious activity backed by AI recommendations.
MITRE ATT&CK Coverage – techniques, sub-techniques, mitigations, tools, and actors to which the query is mapped.
Binaries – binaries on whose behavior the query is based. Click a value and select EchoTrail.io in the description to learn more.
Techniques Simulations – attack simulations you can use to test the query. Click a value to see its short description and select View Simulations in the description to go to the Red Canary GitHub repo with the simulation.
Actions with Queries
You can perform the following actions on queries individually or in bulk by selecting the checkboxes next to the queries. You can also use the Select all option to apply an action to all queries in the list:
Mark a query with a status (bulk action not available)
Hunt
Click the Hunt button to run the query in the selected Data Plane(s) for the same time period that was chosen for the investigation to see how the content performs in your environment.
Your security platform interface will open in a new tab for each selected Data Plane.
Select the Data Planes in which you want to run the query. Your security platform interface will open in a new tab for each selected Data Plane.
Note:
By default, browsers block opening multiple tabs, so please allow pop-ups when prompted to do so.
If you open many tabs simultaneously (10 or more), it could impact your browser's performance.
Open in Uncoder AI
You can update or customize the original query using Uncoder AI to match your current security needs (modify specific fields, add exclusions or filters, etc.)
Click the Open in Uncoder AI button.
Select Data Planes and click Open.
The query will be opened in Uncoder AI in a new tab, where you can make edits and then:
Save the modified version to the selected custom Repository to be used in the next scans.
Deploy the updated detection directly into your SIEM instance.
Open Original Query in TDM
Select the Open original query in TDM button to open a query on the Detection Intelligence tab where you can view the intelligence on the related threat and the query metadata, and customize the query on the Detection Code tab.
Exclude Content from Next Scans
To exclude irrelevant content items from the next scans:
Click the Exclude from next scans button. This will exclude the selected content item from the specified Data Plane.
If the scan spans multiple Data Planes, use the drop-down list to select the relevant Data Planes where you want the exclusion to apply and select Apply.
Review Excluded Content
To review content that has been excluded from future scans:
Go to the Threat Detection Marketplace > Search.
Click on More Expert Filters.
Enable the Excluded in Scans filter.
Manage Excluded Content
To manage excluded content by Data Plane:
Open the rule in the Threat Detection Marketplace.
Click the Exclude from Attack Detective Scans button.
To exclude the item from additional Data Planes, select them from the drop-down menu and click Save.
Restore Excluded Content for Future Scanning
To add previously excluded content back to future scans:
Open the rule in Threat Detection Marketplace.
Click the Exclude from Attack Detective Scans button.
Remove the Data Planes from the exclude list, and click Save.
Mark Query with Status
You can validate hunting hypotheses and mark the query by selecting one of the options in the Action Loop dropdown in the Attack Surface section.
The status you assign becomes part of the global feedback loop intended to recommend the most relevant queries to all users dynamically. When you rate a query you help not just yourself but your peers as well and create a massive positive network effect.
Confirmed – indicates that there's enough data and context to confirm an incident or successful simulation.
False Positive – indicates that there's enough data and context to dismiss the query result as noise.
Benign Behavior – indicates that there's enough data to determine that the activity led to no harm and enough context to understand that the same event can be a true positive given different surrounding events (other hits).
No Root Cause – indicates that the query has found something but there's no data on surrounding events or inside a specific event to make a decision on whether it was a true positive, false positive, or benign behaviorTuning.
Tuning Required – indicates that the query works but needs further optimization to reduce noise or improve performance.
To check the statistics from all users who have run the query and provided feedback, check the Hit Rate and Action Loop section of the query details. Note that the status you've assigned is reflected in the action loop with the delay up to 30 minutes.
Assigned status is shown:
In the Attack Surface section in the Action Loop dropdown.
On the right of the query name when you hover over the tooltip with the number of Data Planes for which you've marked the query results.
Export Scan Results
You can export Scan results as a report once the scan is finished:
Directly within the Scan. Click the file icon on any tab of the scan and select an export option.
On the Scans > Investigations tab. Click the three-dot icon next to the Scan, select Generate Report, and choose an export option.
The export options are as follows:
Full Report PDF – the entire scan info, including overview, log sources, and results for all connected Data Planes, as a visually structured report.
Overview XLSX – scan overview as a spreadsheet for further analysis.
Results XLSX – scan results as a spreadsheet for further analysis.
After selecting the export format, your scan results will be saved in the Reports section, where you can download them by clicking the Download icon in the corresponding row (the newest reports are at the top of the list).