SOC Workbench - Threat Investigation
Security leaders know that speed matters when responding to threats. This video demo showcases how the eSentire SOC Workbench enables analysts to move from alert to actionable response with unmatched speed and precision. Watch the demo to understand how this SOC could strengthen your defenses, and contact HG Consulting to explore a personalized deployment.
What is the Investigation Workbench?
The Investigation Workbench is a feature within the Insight portal that helps analysts conduct threat investigations. It provides an enrichment tool called the investigation co-pilot, which pulls additional context and information from vendors regarding log activity. This assists analysts in making informed conclusions about potential threats.
How does the system identify compromised users?
The system identifies compromised users by analyzing sign-in patterns and activities. For example, if a user typically signs in from Ireland but suddenly has multiple sign-ins from locations like the United States, Nigeria, and Tanzania within a short time frame, it raises a flag. Additionally, suspicious activities such as the creation of unusual inbox rules and the use of untrusted devices are also indicators of compromise.
What role does telemetry play in investigations?
Telemetry plays a crucial role in the investigation process by providing detailed information about processes running on an endpoint. It helps analysts build a process tree, allowing them to trace back activities to their origins. For instance, if a WScript process is spawned by an application like OneNote, telemetry can reveal the chain of events leading to that execution, which is essential for understanding potential exploitation paths.
SOC Workbench - Threat Investigation
published by HG Consulting
Sign in with LinkedIn