Security overview

The Security Overview page appears when you log in. This page provides a high-level summary of what’s going on in your network based on the data coming into Investigator from your sensors.

The Security Overview displays summary data about detections on your network, including the number of detections over time and the distribution of detections across MITRE ATT&CK categories as well as information about individual detections.

_images/inv-security-overview.png

The Security Overview organizes information in these cards:

  • Highest Risk Detections - highlights important alerts and alert categories. You can switch between these tabs:

    • Entities - Displays the entities with the highest severity scores for open detections. The score ranges from 1 to 10 with higher scores indicating more severe threats.

      Mouse over an entity to see more information about its associated alert categories and click View Detections to see the detections for the entity in the Detection summary page.

      Entities with high threat scores are a good place to start your analysis.

    • Alert Categories - Displays the alert categories with open detections and their severity score.

  • Entities with Detections - Displays the number of entities (IP addresses and domain names) that have been flagged with a security alert. The card also shows the percentage change from the previous time window. The number of entities includes both open and closed detections.

  • Alert Categories with Detections - Displays the number of distinct detection types (both open and closed) that have been identified in the specified time interval. This section also shows the percentage change from the previous time window.

  • MITRE ATT&CK Map - Provides a heat map that aligns security alerts with MITRE ATT&CK tactics, techniques, and procedures. The MITRE ATT&CK framework shows how attacks evolve through an enterprise.

    This card shows the observed tactics (such as reconnaissance and initial access execution) and techniques in the color-coded blocks.

    For active scanning alert categories, a number in the bottom-right corner of each card shows how many unique entities were found for the category. Mouse over the color coded technique blocks for details about the associated detections.

    Tip

    For more information about the MITRE ATT&CK framework, see https://attack.mitre.org.

  • Blogs - Populated with the latest security blogs from Corelight on corelight.com.

You can focus the contents of the Security Overview page by specifying a time interval from the menu in the upper-right corner. The default time interval is 7 days. You can change the time period to range from one hour to three months, or you can specify a custom date range. The time range applies to all parts of Investigator and changing the time interval in one place changes it for all features with a time interval. For example, the Detections page uses the same time interval as the Security Overview page.

The Investigator pages do not automatically refresh. If new detections are available for your time window, the Refresh icon to the left of your time interval selection is blue. Click the Refresh icon to show the new detections in the results. If new detections are not available, the Refresh icon is gray. The time window shows the length of time since the last update.

To learn more about these entities and alerts, go to the Detections dashboard.