They say a picture is worth a thousand words. If that is true, then what is an interactive visualization of a year’s worth of endpoint telemetry across your entire fleet worth? LimaCharlie is proud to be launching a new data visualization console today and we are very excited about what it means for threat hunting on our platform.
With this interface users can explore prevalence and timing data for domains, IP addresses, files, file paths, hashes and users across their entire fleet for up to a year’s worth of telemetry. This console also allows users to search for a given sensor ID and deep dive all of the aforementioned data points for a single endpoint over the given time period.
For example, if a client inside of an organization reports an attempted phishing email an analyst can take that domain and search across the entire fleet to see if the indicator of compromise (IOC) has been observed anywhere else.
When searched, instances of this IOC will show up in the graph along with information relating to when it was observed, how often and across how many endpoints. Users can then click on any given graph node to get more information and start to drill down.
In the example above we can see that the given domain was observed multiple times across a variety of different endpoints. If we click on one of the nodes we can see details for it in the lower data panel. Under the metadata tab we can find the IP address behind the domain and search the fleet to see if it has shown up anywhere else.
As the investigation progresses and an endpoint of interest is identified we can search for it’s sensor ID and take a closer look at what happened. The graphs for a given endpoint can be quite noisy and using the various filtering options we can start to strip information back. We can reduce the data included in any graph by adjusting parameters around how prevalent the various events are. It is our experience that rare events are of the most interest.
Once the search has been narrowed down to a particular point in time we can launch a link to that moment in the historical telemetry explorer to examine any process attached to the event we are investigating. If we do find something of concern we can immediately isolate that host from the network and start searching across the rest of the fleet for any new IOCs that we come across.
This article has just scratched the surface if what is possible with this new interface into the LimaCharlie endpoint telemetry. As we continue to build out our Security Infrastructure as a Service (SIaaS) you can expect a lot more. If you have any questions, suggestions for features or just want to say hello, please do not hesitate to contact us.