CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Reduce time to triage by up to 50% with Corelight's new Guided Triage capability

Security Operations Centers (SOCs) are under immense pressure to ensure no attack goes unnoticed. At Corelight, we’re being approached daily to help bring in network visibility. For many though, visibility isn’t enough. SOCs are already overloaded and Tier 1 Analysts often lack network expertise. Modern network visibility has to be easy to use and designed for maximizing SOC efficiency. For that, we built Guided Triage.

Guided Triage brings context, visuals, and AI to every alert. With rich context pre-queried and pulled into the Detection, analysts can react to the data instead of searching for it. The key design principle is providing details while on the same page, avoiding issues like tab fatigue or getting lost traversing page after page during a workflow. Built on the best network data, Guided Triage simplifies network complexity for analysts by automating workflows, delivering prioritized alerts, and explaining the expert level data needed for triage, all while reducing SIEM ingest.

How AI and great design are interwoven

Last year, we introduced AI to help explain alerts. We also introduced AI to help guide on next steps and to ask questions about an alert. Guided Triage takes ease of use to the next level using a combination of AI and powerful page design to pull in data, simplify it, and visualize it.

guided triage GPT

We understand that having all the logs and payloads isn’t enough when the analyst isn’t a network expert, so we used LLMs to turn traffic logs and payloads into plain English. When we started building these LLM features, we started with privacy by adding an optional opt-in, and then used multiple tactics to ensure private data stays secure. One of the advantages of having been early to adding LLM to our products is rapid learning and iteration. For example, with our newest LLMs features we’ve put in the extra effort to avoid lengthy paragraphs and take on the harder task of turning LLM summaries into key fields and highlights that can be quickly scanned.

guided triage alert connection insights

Other things are better painted in a picture. Features like our new timeline visual make it effortless to inspect the detected machines for other malicious behavior. Upon looking at a detection, one of the first questions an analyst has is, “what are the machines that are communicating and what are they communicating about?” The timeline visual tells that story, making it easy to see attacks unfolding.

guided triage detection activity

Building for ease of use, for everyone

To truly improve SOC metrics like TTD and TTR, you have to make both the L1 and the L2-3 analysts faster. That’s a challenge for any designer because what those users want to see can differ. This is where information architectures come into play.

Guided Triage pulls out the most important network context from the raw data, making it quick and easy to scan the page for ports, protocols, user agents, data transfer rates, and other key details. Built on the power of Zeek, Guided Triage can highlight key details other tools can’t.

guided triage connection details guided triage SSL detailsguided triage file details

Importantly, for the L2-3 Analyst, the raw data is always just a click away. Analysts can get tab fatigue and when it’s not too many tabs, it’s getting lost down an investigation rabbit hole and having to click back five times. Guided Triage places emphasis on the single-screen workflow. Delivering on such a powerful page required designing new components and lots of customer research. The result is the ability to view everything, from a related Detection to a raw log, without leaving the page. In early testing, this has drawn “wows” from expert users who can do in seconds what they previously did in minutes.

guided triage ETPRO malware

guided triage ETPRO malware 2

Leveraging history

Every alert follows one of two paths: Either the alert is a real threat and follows an IR workflow, or it’s a false positive, in which case the analyst moves into making a decision to tune or keep getting similar alerts. To optimize for SOC efficiency, a Detection actually has to be designed equally for both true positive and false positive workflows.

For example, an analyst may investigate a remote desktop alert and find it was a user from IT. They may choose to mark it as such, leave a comment, and keep the rule enabled to catch future suspicious remote desktop sessions. With triage history shown as part of every Detection, the next time this alert fires on the same host, all prior investigation verdicts, notes, and other details will come up, making it easier to discover context and compare if the new activity matches the old. If the alert keeps happening, it will be easier to see the history and eventually tune the rule to avoid the false positives.

When SOC efficiency is the goal, it’s important to recognize that false positives are a part of SOC life and SOC efficiency means equal speed in working both the TP and the FP scenario.

guided triage history

Entity cards: hover for context

When you study analyst workflows, you find that seconds add up. Leaving a page has a focus cost. Loading a new page has a waiting cost. Knowing those costs affects analyst decisions about how often they click to learn more, knowing it will cost them time. In a world where no one likes waiting for a spinner, quick information can change the game.

That’s why Guided Triage includes hover cards. Hover on any IP, anywhere on the screen, and a hover card shows what Detections are active on it, if it’s internal or external, first and last seen dates, and gives quick buttons to pivot into a deeper investigation on that IP. Like all Guided Triage features, these investigation pivots pop up right in the Detection to keep learning curves short and SOCs fast.

guided triage investigator

Conclusion

With the launch of Guided Triage, Corelight Investigator is not just keeping pace with industry standards but setting new ones. By focusing on ease of use and efficiency, we're empowering SOC analysts to operate with greater speed and accuracy, ultimately strengthening an organization's security posture.

Recent Posts