Analysis using the Correlation Graph

Procedure

• From the main screen, perform initial analysis:

  Element in Correlation Graph
  Click the playback bar to view the time line for the correlated events. Deep Discovery Director - Network Analytics draws the oldest correlation event first and continues through to the latest correlation. Use the time line sliders to view correlated events over a selected time frame. The graph displays only the correlations within the selected time frame. Adjust the time frame by clicking on the left and right grab bars on the time line and dragging them to the desired location. The correlations displayed in the graph (and resultant transaction details) change according to event data found within the selected time frame.
  Click next to the Playback Bar to display or hide the advanced search filter. Use the advanced search filter to create and apply customized searches. For details, see Correlation Graph advanced search filter.
  Correlation Line Each correlation graph contains one or more correlation lines that correlate malicious or suspicious activity between a source and destination. Each correlation line represents one or more transactions between two hosts. The thickness of the line is proportional to the number of transactions occurring between the hosts. Correlation lines can be between an internal host and external server or between two internal hosts (lateral movement). Each correlation line has a label with the protocols used in transactions between the hosts. An arrow within the correlation line indicates the direction of the transactions, from source to destination. Correlation lines involving email senders have the label Suspicious Email Activity.
  Internal hosts The graph identifies internal hosts by internet protocol (IP address) as well as host name and user are, if known. Icons representing relevant information might appear next to an internal host. For example, if the internal host is on the priority watch list or on a registered service list, the graph displays the appropriate icon. Note The priority watch list consists of servers from your environment that you consider high-priority for event tracking and incident reporting. The registered service list consists of dedicated servers for specific services that your organization uses internally or considers trustworthy. Hover over the downward triangle () next to each internal host and external server to view a list of additional actions you can perform for that host. Copy to clipboard: Copy the value to your clipboard.
  External servers External servers are identified by IP address; the domain name is also supplied if known. Email senders are identified by email address and are always displayed at the top of the External Servers side. Other relevant information might be displayed for external hosts. Hover over the downward triangle () next to each external server to view a list of additional actions you can perform for that host. Copy to clipboard: Copy the value to your clipboard. Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object. DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain. VirusTotal: Open VirusTotal in a new browser tab with a query for this object.
  Activity Legend Identifies key activities for the internal host and external server participants in the graph. Activities vary for each specific correlation graph. Can include activities similar to the following: Brute Force Authentication, C&C Callback, Data Exfiltration, Lateral Movement, Malicious Transfer, Other Malicious Activities, and Vulnerability Exploit. Some activities correspond to Reason in Deep Discovery Director logs.
  Participant Icons You can determine the activities in which each internal host or external server participated by checking the presence of an icon in the corresponding activity column. Hover over an internal host or external server to see the activities in which they are participants highlighted in blue.