When a security breach occurs with potentially major consequences, one of the best things that can be done is to split the problem into several smaller pieces until the root causes are known. You can’t see fine-grained patterns when looking at an aggregation of a week’s worth of events. You need a mechanism to zoom in to smaller time increments until you can see emerging patterns in datasets. This is where techniques like the Indicator Search drill down shine.
Before we jump into the new features, let’s take a step back to briefly cover what the Indicator Search is, and how it helps with investigations.
Our Indicator Search feature makes it easy to perform lightning-fast searches across all collected logs for IOCs such as IP addresses, domains, hashes, and more. With the Indicator Search, you can quickly baseline behaviors, correlate suspicious activity across systems, and kickstart security investigations against terabytes of normalized log data. You can learn more about this feature here.
Whenever an investigation is performed using the Indicator Search, your data is grouped by time intervals and presented by a histogram showing the concentration of events over the specified time interval. The time interval or granularity used to bucket the events across the time dimension depends on the date range that is selected when the search was initiated. Based on the search criteria, time granularity can vary from weeks, days, hours down to minutes – the more you narrow down the date range the better the resolution you’ll get.
Some examples:
With the Indicator Search Drill Down, you can now dive deeper into the aggregated data in your visualizations to instantly shift from a top-level view to a more detailed and granular view within the Indicator Search results. We’re excited to deliver this new capability to make incident investigations easier and faster for our customers.
Now that you are familiar with the Indicator Search algorithm and how it groups data under the hood, let’s see how you can leverage the panning & drill down features to walk through the different levels of granularity until you get enough context about a security breach.
1. Start your investigation with the attacker’s IP address
2. Search for all the associated events in the last month.
3. Scroll through the events until you find an intriguing hit.
Here is what it looks like so far:
4. By analyzing the histogram you can clearly understand when the breach occurred.
5. Drill down on any date to get a more detailed view of the results.
6. Continue to pan and drill down until you have enough context about the attack.
Here is what it looks like:
Not using Panther yet? Request a demo to learn how Panther can help you build a world-class detection and response program.