Back

Alerts and Alert Analysis

The admin or IR creates rules using certain indicators to track suspicious security events on host computers. These events may be related to system processes, files, IP address, registry keys or many other indicators. When you create a rule, you define the conditions that must be met for the selected indicators. After the rule is saved and applied, whenever the activities on any endpoint matches with the indicators given in any rule, an alert is generated and displayed on the Seqrite HawkkHunt console. An endpoint can have more than one alert. Similar alert can get generated on multiple endpoints. An admin or IR may create multiple rules and apply, thereby creating many alerts for a single host. A host may have a number of alerts generated which may be of high, low or medium severity.

Alerts Workflow

After an alert is generated on a host and displayed on the HawkkHunt console, it is designated an open status by default.

  1. The IR will assign the open status alert to self or another IR in the team for investigation, analysis, and appropriate remediation action.
  2. After the alert is assigned to an IR, the IR starts working on the alert.
  3. The assigned IR will analyze the alert, perform root cause analysis. After the analysis is complete, IR takes appropriate remediation action if required.
  4. After analysis is completed, the IR changes the status of the alert to closed.
    All the activities carried out during the analysis such as status change, assignee change, comments entered during the analysis, and remediation actions taken are logged. The IR can see these logged activities on the investigation workflow page.

Active Alerts – Canvas View

The Alerts page opens in the Canvas view by default. The Canvas is the landing page for the Incident Responder (IR) after logging into the HawkkHunt portal. The Canvas presents a holistic view of the endpoints that have communicated to the HawkkHunt portal for the past 7, 15, 30 day period or the hours as selected from the drop-down options along with the alert severity count and the status whether Open, Closed or In-Progress. By default, the dashboard displays the alerts for all the endpoints in the entire network. You can choose to view the alerts assigned to you by clicking the My Alerts button.

Canvas_Alert  

The navigation pane (highlighted in yellow on upper left) lets you navigate to the other pages of the HawkkHunt portal for Threat Hunting, Rule Builder, Reports, Settings and Help Center. Hover anywhere on the navigation pane to expand the pane and navigate to other pages. The navigation pane displays the name of the logged in user in User Settings on the extreme lower corner besides the zoom control widget.

Active Alerts – Hosts

Hosts (endpoints) that have been sending data to the HawkkHunt console for the past 7, 15, or 30 day period are depicted by small colored dots displayed in a circular area on the canvas. The color of the dots depends on the highest severity of alerts on the host, irrespective of number of high, medium or low alert count. If the host has single high severity alert then the dot is red colored, if the host has medium and low severity alerts but not a high severity alert, then the dot is orange colored. If the host has only low severity alerts then the dot is yellow colored.

 





Active Alerts – Full page view

You can switch to the full-page view by clicking the caret in the upper right corner as follows. The caret is inverted and pushed to the extreme right in the full-page view. Click that caret to return to the dashboard view.

Alerts are now available in six modes as follows:

  • Active Alerts: Displays the alerts that are active and not acted upon.
  • Closed Alerts: Displays the alerts that have been acted upon and closed with appropriate action.
  • Regular Alerts: Displays the regular alerts.
  • Whitelisted Alerts: Displays the alerts that are Whitelisted.
  • Severe: Displays the alerts as per severity type, high, medium and low. 
  • Informative: Displays the alerts that are just giving out some information and not severe enough for investigation at this time.   
    Alert 6 modes

    Note: You can switch to the full page view using the caret button highlighted in yellow, on the right.

Active Alerts – Dashboard

The Alerts Dashboard area on the upper right displays a horizontal colored bar that displays the % of the high severity alerts in red, medium severity in orange and low severity in yellow color in proportion to the total count of the alerts. Below the colored bar, the Total Alert count for the alerts generated for the last 7 days is displayed. The breakup for the total count is also displayed in 3 rows. The first row shows the count of System and Custom alerts. The second row shows severity wise count. The last row shows count of Open and In-Progress alerts.

System n Custom alerts

The section towards the lower right displays the details for the most recent Open and In-progress alerts, date and time of alert generated, the status, the affected process name, the host name, and the type of attack tactic. You can scroll up or down to view the information for earlier alerts.

Active Alerts – Actions Available

You can perform bulk actions. 

Active Alerts – Bulk Action

You can select multiple Alerts at a time and perform the actions of assigning to a user, changing the severity, or changing the status of the selected alerts.

Note: The selected action will apply to all the alerts that are selected, so it is recommended to use the option carefully.

To apply action on the selected alerts, do the following,

  1. Navigate to the Alerts page Canvas View.
  2. In the right side Alerts pane, select the Select All alerts check box to select all alerts at a time to apply the required action.
    BulkActivity1
  3. Select the required Assign, Change Severity or Change status by clicking the respective button.
    If you click the Assign button, the Alert Assignee dialog opens.
    Select the Assignee to whom you want to assign the selected Alerts.
    Enter what you have changed in the Enter Change Description box.
    AlertAssigneeIf you click the Change Severity button, the Alert Severity dialog opens.
    Select the Severity.
    Enter what you have changed in the Enter Change Description box.
    AlertSeverityIf you click the Change Status button, the Alert Status dialog opens.
    Select the Status as required.
    Enter what you have changed in the Enter Change Description box.
    AlertStatus
  4. Click Save to save the changes. The selected action is applied to all the selected alerts.

Using the Zoom control

Use the Zoom control on the lower left corner of the Canvas view to zoom in or zoom out as required for the canvas view.

Using the Filter View

Apply the filters to narrow down your search criteria for displaying the alerts. You can filter by Severity, Status, Alert Details such as Process Name, Host Name, Assignee and Tactics.

The following filter options are supported:

Filters

Description

Severity

Helps to select the severity of the alert.

Status

Open, and In-progress

Alert Details –
Process Name

The corresponding process or file name

Alert Type

The alert type is Custom or System.

Alert Details –
Host Name

List of Host Names along with auto suggestion while typing as there will be a long list.

Tactics

Shows the tactics on which the alert is generated.

Assigned To

List of users to whom the alert is assigned along with autosuggestion while typing to help select as there will be a long list.

For example, to view only High severity alerts, do the following:

  1. On the List View, Click “Add+” besides the Filter textbox. The available options are displayed.
    Filter Dialog
  2. Select sev.high which means alerts of high severity.
  3. Select the status, Open or In-Progress, if required.
  4. Select the Alert Type, System or Custom alert.
  5. Select other conditions and click Apply
    All the alerts having high severity are displayed.

Selecting the View duration 

You can view the alerts in the following hours, days or weekly or monthly slots:

  • Last 1 hour
  • Last 3 hours
  • Last 6 hours
  • Last 12 hours
  • Last 24 hours
  • Today (Since midnight 12.00 AM)
  • Last 7 days
  • Last 15 days
  • Last 30 days
  • This week (since Sunday midnight 12.00 AM)
  • This month (since beginning of the month)

Time View

Viewing alert details for a particular host

Click on a colored dot (which represents the endpoint host) on the Canvas view to display the details for that particular host.

Device view

You can switch to the Device view to see all the alerts that have occurred in the past 7, 15, or 30 day period associated with a particular host.

    1. Click the blue caret on the upper right corner of the popup (highlighted in yellow).
      The Device view is displayed as shown below with all the alerts related to that host displayed as circles. Color of the circle indicates the severity of that alert. The color will be red if alert has high severity, orange if medium severity, and yellow if alert has low severity.
      Device view
    2. Click on a circle to view the status, timestamp, hostname, and associated tactic. The right pane displays the endpoint information on which the alerts have been generated.
    3. Use the Filter option to look for a particular alert satisfying the filter criteria.
    4. Add the filter as required and click Apply. The alerts for that device would be displayed as per the applied filter.

Viewing My Alerts

Click on My Alerts to view only the alerts that are assigned to you (logged in user).

 

Active Alerts – List view

Click the List button next to the Canvas button to view the listed alerts serially with hostname, count, severity and the status.

  

You can sort the displayed list on the number of alerts from high to low count for the corresponding hosts. Scroll down the list as required to view the earlier generated alerts. Clicking on a particular host name opens the Device view for that alert.

Analysis workflow

The Analysis workflow helps the IR investigate the suspicious event(s) that generated the alerts. The Analysis workflow displays the processes that triggered the alert based on the corresponding rule. The first file that started the sequence of security events and the following processes are displayed in a collapsible tree like flow. Starting from the first process/file, clicking on an event displays the further events that occurred and the corresponding details. You can explore the process flow up to the last occurred event.

The following screenshots show, step by step, how an IR starts the analysis for an alert.

  1. First the IR opens the analysis workflow for an alert by clicking on the caret (highlighted in yellow square) on the upper-right corner of the alert in the Details pane. The Details pane is located below the Alerts dashboard.

  1. IR then clicks on host QHPUNML7LP121 icon displayed on the screen.

     
  1. The filename rundl32.exe is displayed on the screen which further led to execution of some modules.

  1. To investigate further, the IR then clicks on rundl32.exe icon.
    The screen displays the following:
    — Count of modules that were loaded by the rundl32.exe executable and any exploitable host programs.
    — The basic information for the process rundl32.exe, time of execution, start time, end time, path, MD5 count, SHA count, the command line, and the drive type is displayed.
    –The binary information, and the endpoint details such as the Username, Hostname and the operating system on the host are displayed in the right pane.

— The filename and time stamp details for the 38 modules that were loaded are displayed in the right pane.

— The screen also shows that the file rundl32.exe loaded on exploitable host program in memory.

This analysis can be followed further, right up to the last action that was initiated by the alerted process.

Alert analysis – Remediation actions

On File

During Alerts analysis, if you find any suspicious file activity, you can perform the following remediation actions on that file.

Remediation Options

  • Kill: This action will kill the process/file activity. Note that the file still will be available on the host computer and can be spawned/activated later. This option is available only if the file has spawned an active process. You can check the start time of that process under Process Details tab. This option is not available for a process that has ended.
  • Quarantine: You can quarantine a file on the host PC. This action will ensure that the process will not be launched by the file next time. You can restore a quarantined file anytime using the Restore button. The Quarantine action might fail if the sensor access to the file or folder is denied on the host PC. You cannot quarantine valid system files or installed program files as these files are Whitelisted by default when installed.
  • Note: Kill option will be displayed only for executable files in addition to Quarantine and Restore options. For other files, Quarantine and Restore options will be displayed.

On Registry entries

From the alert, you can navigate to the process file that has spawned the regedit.exe file which is used to create/edit entries in the system registry. Clicking on the Values Created will display the registry entries in the right pane.

For any registry keys that are created as a result of any suspicious activity, you can select the registry keys and click Delete.

Registry Options

Note: You may not be able to delete a registry entry that has been renamed, or deleted already.

Switching from Timeline View to Type View

This view lets you view the Alert analysis for a host in terms of types of activities triggered by the process. These can be file actions, process, network or Registry type.

  1. You (IR) are currently on the Timeline view for Alert analysis on a host.

  2. Click the Type view. The Type view is displayed for the same alerted process as follows:

The details for the alert are displayed in types. Here we can see that the file WMIC.exe has triggered 39+ File activities and 1 other process.

  1. Click the + sign besides File to view the related details.

Activating the Date and Time View

You can view the progression of the process that triggered an alert on a date and time scale. This scale also displays whether the activity was related to a Process, Files, Registry or a Network activity.

  1. To enable the Date and Time view, click the caret in the lower left corner (highlighted in a yellow square).

The Date and Time view is displayed with the activity type.

  1. Click the white caret in the lower left corner to close the Date and Time view.

Color Code Legend

Color of dots Activity related to
Yellow Process
Purple File
Blue Network
Green Registry

Additionally, you can do the following:

  • We can zoom in and out using mouse. We can adjust time window, if there are multiple events at same time, then there will be concentric circles on this view, else it will be a solid circle for a single event.

  • Also, when user clicks on this solid circle on this view, then user can see respective event on tree as well as details on right side panel.

  • When user clicks on concentric circles, then on right side panel all the concurrent events occurred at that same time are displayed. User can see further details of event by clicking on the events.

  • View the time sequence of activities performed by a process or its parent or siblings during the course of an alert generation.

Other actions available on Alerts > Analysis workflow Page.

  • You can avail the following functionality by clicking the designated buttons on upper right corner of the user interface.

 

Functionality Action
To return to the alert after you have traversed far into the analysis workflow. Click the View Alert button.  
To view the activity logs for an alert. Click the clock icon.
To enter comments during analysis. Click the comments box.
To view similar alerts on other hosts. Click the Graph shaped
corresponding icon.  
To go to full view. Click the white caret to expand the view to full page view.
To return, click the inverted caret that is pushed to the far right.  
To view the Alert details such as basic timestamp information, generated by which rule, and the status and severity of the alert and assignee. Click the Alert Details tab.
To view the process details that triggered the alert such as process name, binary size and endpoint details. Click the Process tab.

 

Whitelisting rules for alerts

Alerts are generated based on default rules specified in the HawkkHunt engine and displayed on the dashboard. You may come across some alerts that are triggered by valid activity in your network. A whitelisted rule allows you to specify a combination of parameters to whitelist the generated alerts. Any alert that matches the whitelisted rule becomes visible under the “Whitelisted alerts view” tab. You can add the corresponding alert conditions to the Whitelist rules so that future alerts and same old alerts based on the file execution or activity under that rule are no longer displayed on the Regular Alerts dashboard view. These alerts are then listed under the Whitelisted Alerts.

Adding an alert rule to Whitelisted rules

    1. On the dashboard, in the right panel, click the alert for which you want to Whitelist the corresponding rule.
    2. The Alert Analysis view opens. The right pane displays the details for the selected process or any other processes.
      WhitelistButton
    3. Click Add to Whitelist.
    4. In the Add to Whitelist dialog, enter a name for the Whitelisted rule.
      WhitelistDialog
    5. Select the parameters as required from the displayed parameters. The parameters will appear depending upon the process.
    6. The Rule Query preview pane shows the corresponding rule query that would be Whitelisted.
    7. Click Done to save the rule to the Whitelisted Rules.
      You can view the rule under Whitelist Rules tab on the Rules page. Alerts generated for this rule would be available under the Whitelisted Alerts only. You can sort the Whitelisted Rules by Timestamp.

Save Alerts to WHitelist

You can delete the Whitelist Rule with the help of the Delete icon.