7.6. Using of NDR dashboards
7.6.1. Introduction
Analysing the alerts for each type of engine
Viewing information and alerts specific to the network's equipment
Viewing information and alerts specific to the network's users
Viewing the relationships between the different equipment and users
To |
Apply the procedures |
|---|---|
Retrieving information related to an alert |
|
Processing equipment |
|
Processing an user |
|
Processing equipment |
|
Managing association rules |
|
Relation between equipment and users |
Procedure to analyze the relationship between equipment and users |
7.6.2. Links associated
See the Overview of the WEB UI.
7.6.3. Prerequisites
User : member of Operator group
7.6.4. Preliminary operations
Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)
7.6.5. Procedure to retrieve information related to an alert
- From the navigation bar, click on the
`Home`button (2).
In the Message Area of the`Home`screen, alerts are displayed classified by risk level (item 1).
- Click on an alert requiring investigation.The
`Alerts`screen of the web UI is displayed.
If the
`Group by name`button is ticked, click again on the alert again in the page that appears.- Once the alerts are not aggregated, click on the alert requiring investigation.A popup appears with the alert details.
This window displays important information:
The details of the alert
The name of the equipment concerned or impacted by this alert
The IP addresses concerned or impacted by this alert
Note
This window is detailed in the Alert details window.
According the engine which has detected the alarm, refer to the specific procedure defined below
The specific processing of alerts detected by... |
is indicated in the ... |
|---|---|
the Malcore engine |
|
the Powershell detect engine |
|
the Shellcode detect engine |
|
the Sigflow engine |
|
the DGA engine |
|
the Retroanalyser engine |
|
the CTI engine |
|
the Retro hunt engine |
|
the Ransomware detect engine |
|
the Beacon detect engine |
|
the Yara engine |
From the equipment IP, search on it in the
`Users`page (example: IP:192.168.0.1).- Click on the user to display the user record.The following are displayed:
Its risk score
IP address
Its equipment on the network
The metadata generated
Alerts generated
Its relationship with other equipment or network users
Continue investigations, as above, if other equipment is present in the alert being processed.
7.6.6. Procedure to process the equipment
From the navigation bar, click on the
`Assets`button (7).
The
`Assets`window is displayed.
Click on the desired equipment.
Analyse the various alerts (1) noted for this equipment.
If necessary, add a tag (9) that will give status to the equipment.
If necessary, add a note (10) to indicate the different analyzes performed.
7.6.7. Procedure to process the users
From the navigation bar, click on the
`Users`button (8).
The
`Users`window is displayed.
The active user management interface provides a list of the different users on the network listed by risk score (1).The user with the highest risk score are those that have raised the most high criticality alerts.It may therefore be necessary to carry out an in-depth analysis of the user in question.
Click on the desired user.
Analyse the various alerts noted for this user.
If necessary, add a tag (7) to give the user a status.
If necessary, add a note (8) to indicate the different analyzes performed.
7.6.8. Procedure to manage association rules
From the navigation bar, click successively on :
The
`Detection strategy`button (1)`Configuration`button on the menu`Assets and users detection`The interface for managing association rules`Assets/Users association rule`allows to set up rules concerning equipment and users present on the network.
In the
`Asset detection network range`section:
- Click on the
`Network variables can be configured for each gcap`link to add internal networks via the GCap profile customization feature.For more information, see `Asset detection network range` section of the `Assets/Users Association rules` screen.
In the
`Ignored IP for users association`section:
- Declare IP addresses that cannot be associated with a user to avoid wrong associations.For more information, see `Ignored IP for users association` section of the `Assets/Users Association rules` screen.
In the
`Ignored MAC for assets association`section:
- Declare MAC addresses that cannot be associated with equipment to avoid wrong associationsFor more information, see `Ignored MAC for assets association` section of the `Assets/Users Association rules` screen.
In the
`Forbidden users`section:
- Declare users not to appear in NDR dashboards (example: CEO, administrator)For more information, see `Forbidden users` section on the `Assets/Users Association rules` screen.
In the
`Forbidden assets`section:
- Declare the equipment not to appear in the NDR dashboards (example: sensitive equipment, irrelevant equipment)For more information, see `Forbidden assets` section on the `Assets/Users Association rules` screen.
7.6.9. Procedure to analyze the relationship between equipment and users
From the navigation bar, click on the
`Relations`button (4).
The
`Relations`window is displayed.
Choose the desired period using the timeline at the bottom of the page.
Locate a user or equipment flashing red (risk score > 75%).
Click on it, its interactions with other users and equipment are activated and a popup is displayed.
Move the mouse over the activated links (interactions) to see what they mean.
In the popup, the elements enabling further investigation are shown:
The main information about the item
Alerts raised by the item