Identify and manage threats through the Detections page¶
Investigator helps you monitor and manage alerts by grouping them as detections and providing simplified workflows and instructions to process and resolve them.
What are detections?¶
A detection is an aggregation of alerts from the same alert category and entity combination. Investigator creates detections when an entity generates an alert for an alert category. Future alerts from the same alert category and entity pair are appended to the same detection.
Detections are accessible to Admin, Analyst, and Viewer users (although Viewers cannot see the action buttons associated with detections).
For more information, see Overview of alerts and detections.
How to investigate a detection¶
Here are the basic steps to investigate a detection:
From the Detections page, review the list of discovered detections.
The list summarizes basic information about each detection. You can drill down to learn more about detections and their associated entities and alerts.
Sort and filter detections.
You can sort detections by severity score and time of detection.
You can filter detections by severity score range, status, alert category, entity, or assignee.
View essential information about a detection in the Quick View panel.
View complete information in the Detailed View.
The Detailed View includes information provided by the Corelight content team and can include description, significance, validation, next steps, and associated MITRE ATT&CK techniques.
Some detections provide AI generated descriptions and let you Ask GPT for more information through pre-formed prompts.
The Detailed View also shows alerts for the detection, related detections, and related entities.
Assign a detection to any user in the system for further analysis.
Exclude an entity from a detection.
Send to ServiceNow as a security incident.
Close a detection.
Detections page and summary view¶
The Detections page shows a summary of each detection. Each detection includes these details:
Severity – a number ranging from 1 to 10; more severe threats have a higher score
Alert Category – the name of the security alert
Entity – IP address or domain name
With a configured CrowdStrike integration, the detections show additional host information from CrowdStrike data and can let you isolate entities from all network activities in response to security breaches.
Number of Alerts in the detection
First Alert Time – time of the first alert in the detection
Last Alert Time – time of the most recent occurrence of the alert in the detection until the detection is closed
Status – open or closed
Assignee – indicates a user has been assigned to the detection or the detection is unassigned.
By default, detections appear in the list view. If you prefer a more structured and concise representation of the detections, you can switch to the table view. The table view lets you quickly scan rows and columns to find relevant data. You can switch between views using the List and Table buttons under the filter options.
Detections in the list view
Detections in the table view
The sort and filter options along the top of the results help you focus the list of detections and the Quick View panel provides more information about the detection.
Note
The Detections page does not automatically refresh. If new detections are available for your time window, the Refresh icon in the time window is blue. Click the Refresh icon to show the new detections in the results. If new detections are not available, the Refresh icon is gray. The time window shows the length of time since the last update.
Quick view of detection information¶
Each detection displays a Quick View panel to the right. This panel provides essential information and actions for the detection, including
Description of the detection. Machine learning alerts and notices from Corelight collections include a description. Suricata alerts include an AI generated description. Custom generated alerts will not have a description.
Note
AI-generated content is identified by an icon that appears next to the description. Although our goal is a detailed and accurate description, use your judgment for any AI generated description.
Significance – the potential impact of this detection for machine learning (ML) detections and some notices.
Detection Summary
Status – if the detection is open or closed.
Assignee – indicates if the detection is assigned to a user or if it is unassigned.
Number of alerts
First alert time and last alert time
Entity for the detection, including IP address or domain.
With a CrowdStrike integration configured and enabled, the detections show additional host information from CrowdStrike data to provide even more context and let you isolate entities from network activity in response to security events.
Alert Category
Alert Category – click the name to see to the full entry in the Alert Catalog and customize the severity score
Severity
Type – Notice, Suricata, Search Based, or Machine Learning
MITRE ATT&CK techniques (if available) – Notice and ML detections that Investigator can map to the MITRE ATT&CK framework include links to the relevant MITRE ATT&CK techniques.
Buttons at the top of the Quick View let you perform any of the following actions for a detection:
- Close the detection
- Send to ServiceNow as a security incident
- Suppress Entity from a detection
- Assign a detection to a user
Tip
In table view, the action icons appear when you hover over a table row and also in the Quick View panel.
Detailed view of the detection information¶
By default, the Detection page displays a Quick View panel with more information for the selected detection. Click the View Detection button in the Quick View panel to display a more complete view of the detection in a full page view.
The Detailed View includes all the information and actions available in the Quick View, plus this additional information (as applicable for each alert type):
Description – explains the detection
Significance – the potential impact of this detection for machine learning (ML) detections and some notices.
Validation – how to assess the correctness of the detection
Next Steps – recommendations on how to address the detection (for ML detections and some notices)
Suricata detection details include a Suricata Rule section that shows the definition of the rule.
Ask GPT – Corelight-provided alerts and detections include an Ask GPT section that lets you query GPT from OpenAI about the alert or detection through pre-formed chat prompts.
Click a prompt to ask GPT for additional details about an alert generated by a detection. Prompts might let you ask “what does this alert mean” or “what next steps should I take.” As you get an answer, related queries appear as appropriate and available.
If preferred, you can turn off GPT integration in General Settings.
You can use the Request More button to send feedback to the Investigator team and suggest prompts related to the detection. (Note that this feedback is not interactive.)
Buttons along the top let you perform these actions:
Investigate logs - pivots to the logs to review the evidence exported from your sensors. Investigator pre-populates the log search query to provide contextually relevant results.
You can click the Copy Detection URL icon in the upper-right corner to copy the Detailed View page location and share it as a unique URL for the detection.
Tabs under the action buttons provide access to:
Alerts – shows the alerts that contributed to this detection and details about the alerts. Machine learning detections show details about the model score, including analytics that contributed to the calculation of that score.
You can pivot to the logs and view in LogScale by clicking the Investigate Logs icon.
Related Detections – provides additional context and lets analysts review detections related to the entity and the alert category to see a more complete view. The tab shows detections (both open and closed) from other related alert categories and other entities. By default, Investigator shows the newest detections first, but you can also sort by severity and change sort options. Click a detection to display additional information.
You can use the filters to limit the results to a specific alert category or entity.
To filter by alert category, type an alert category in the Category search field. Investigator suggests matches as you type. You can also click the checkbox to show detections only for the current category. You can add multiple alert categories to the filters.
To filter by an entity, type an IP address or domain in the Entity search field. Investigator suggests matches as you type. You can also click the checkbox to show detections only for the current entity. You can add multiple entities to the filters.
You can switch the results list format and view in either table view or list view, and you can sort by severity score.
A number before the tab name indicates the quantity of current related alerts/detections.
Sort and filter detections¶
By default, detections appear in a list that shows the most recent activity first and the detections appear for the last 7 days. You can change the time period to range from one hour to three months. You can also specify a custom date range.
Note
When you change the time window for detections, the time setting applies to all parts of Investigator that use a time window.
You can sort detections based on:
Newest Detection – show the most recent detections first
Oldest Detection – show the oldest detections first for the specified time window
Highest Severity – show the most severe detections first
Lowest Severity – show the least severe detections first
You can filter detections based on:
Severity Score – use the slider to specify a minimum and maximum score for the results. By default, all scores are included.
Status – open or closed.
Open – the alerts/detection have been generated and are awaiting investigation and resolution.
Closed – the alerts/detections have been fully investigated and resolved, and no further action is required or the detection was open for more than a week.
Category – Limit the results based on a single alert category. This search box suggests matches based on values found in the filtered results; start typing keywords to see available filtering options. You can only filter by one alert category at a time.
Entity – Find detections by IP or domain. This search box suggests matches based on values found in the filtered results; start typing search terms to see available filtering options. You can only filter by one entity at a time.
Assignee – A search box lets you find and select an assignee from the full list of users associated with the account and show only detections assigned to that user. You can also show only unassigned detections or detections assigned to you.
You can combine multiple filters to focus results. Active filters are shown at the top of the Filters pane.
You can reset custom filters. Click Reset to clear all filters, or click the X next to a specific filter label to remove it.
You can show or hide filters with the icon in the upper-right corner of the filter pane.
Exclude an entity¶
Analyst and admins can exclude entities from a detection. Excluded entities do not generate new alerts for the alert category. Typically, you exclude trusted entities so you can focus on other entities.
To exclude an entity from an alert category
From the Quick View panel or the Detailed View, click the Suppress Entity button.
A dialog box prompts for confirmation.
Click Suppress Entity.
If excluded, you can click the Unsuppress button to restart alerts for the entity.
You can see a list of suppressed entities for an alert category in the Alert Catalog.
Assign a user to a detection¶
You can assign a detection to any admin or analyst user, including yourself.
To assign a detection
From the Quick View panel or the Detailed View, click the Assign To button.
Search for an assignee and select their alias.
Each assignee is listed by their account alias.
Click Apply.
Once assigned, you can change the assignee or revert to Unassigned. Users do not get notified when assigned a detection, but they can sort based on their assigned detections.
Send a detection to ServiceNow¶
If an analyst or admin identifies a detection as a potential incident, they can send the detection to their ServiceNow instance. A detection sent to ServiceNow creates a security incident for further investigation and can initiate response workflows.
Important
Users send detections manually on a case-by-case basis.
To enable this functionality, an admin for your account needs to provide access settings for your ServiceNow instance in the integration settings.
To send a detection to ServiceNow
From the Quick View panel or the Detailed View, click the Send to button.
You are prompted to confirm the action.
When sent, the status for the detection changes to closed, the username of the person who sent to detection is added to the details, and an icon indicates the detection has been sent to ServiceNow.
Important
Once you send a Detection to ServiceNow, it cannot be reverted or reopened.
When you send a detection to ServiceNow, Investigator includes these fields:
Description of the detection
Alert category name
Severity score
Detection status (will always be closed since Investigator closes detections once sent to ServiceNow)
Entity
Entity type
Assignee
Number of alerts
Unique URL for the detection
Detection created time
Last updated time
Tip
Corelight video on YouTube: How Corelight’s ServiceNow integration speeds response
Close a detection¶
Without any user activity, Investigator automatically closes the detection one week after creation. (Admins can configure the autoclose time period.) Additionally, analysts and admins can close detections when they determine it is not a security issue or when they have addressed the issue.
If your active filters only show Open detections (the default), the closed detection no longer appears in the list. Once you close a detection, you cannot re-open it.
Note
The system automatically closes detections 7 days after creating the detection.
To close a detection
From the Quick View panel or the Detailed View, click the Close Detection button.
When prompted to confirm the action, click the Close Detection button.
A message appears when the action completes successfully.
Note
If the detection is closed and alerts with the same attributes, Investigator creates a new detection for the same alert category and entity pair.
You can still perform actions on closed detections, such as assign a user or suppress an entity.