I would like to know more on how to properly investigate an alert.
Specifically, about contextual data, how do I use endpoint query? inspect actor activity and log search? It seems that the documentations are about old versions, and I couldn’t find any information about it.
Overall if you have any tips or methodology you follow to investigate alerts, please share with me
You are certainly right that our current documentation seems to be out of date and I would argue not entirely verbose enough for what you’re probably asking.
I am reaching out to our documentation team to see if we can get some of the verbiage updated and some extra context in there to explain.
However, for the time being I can explain what these three categories do:
Query Endpoints - This uses the agent to run forensic jobs on a specified asset. The jobs range from pulling in the current Arp Cache, to User Sessions, or checking for a specific registry key setting. These jobs will be most accurate and helpful when ran as close to the creation of the investigation. The data can provide extra context to the asset in question for whatever the investigation was about
Inspect Actor Activity - This gives you the ability to add users or assets to the case which will bring in any alerts or notable events for that actor. These will be placed into the appropriate spots within the timeline to give you more context on what happened and when. Some of these alerts or notable events may pertain directly to the case or may involve other activities that led up to the event.
Log Search - This simply opens a session of the log search but within the investigation. All other log search functions operate exactly the same but this gives you the ability to filter and search for corresponding logs and select those logs and add them to the case. These logs will also be placed into the timeline for when they occurred.
Query Endpoints to gather forensic info from any asset listed as an actor for that investigation
Inspect Actor Activity - Use IDR to automatically gather relevant information from a predefined set of log sets for either a user/asset already listed as an actor, or another user and asset of your choice if they become relevant in the investigation
Log Search - great for when you need to add the actual log(s) in their entirety to the investigation when that investigation provides just key components (like actions or locations only).
Whats great about the log search add is that it will automatically place that log in the appropriate area of the investigation’s timeline based off it’s timestamp, so it can really be useful.