Network Connection Drilldown
This page provides an overview of all indicators for the searched machine within the specified timeframe. Default this is set to the last 24 hours, but can be changed to whatever is preferred.
- On the top left there is a force directed graph depicting all network connections. This will show all hosts communicated to.
- Next to that there is a Sankey diagram which also displays the hosts communicated to. The bigger the flow, the more connections were recorded.
- Below that there is a Punchcard graph depicting all ATT&CK technique indicators per hour. The larger the dot, the more indicators were detected that moment. This makes it easy to detect time based patterns and can help in determining whether a process is malicious or benign.
- Below is a table with all network connection triggers related to the searched IP address(es) that are stored in the threathunting summary index within the search timeframe.
- On the bottom there is a panel with all related raw events. Once unfolded there are several workflow actions for the fields.
Like the ATT&CK overview, all fields per line are clickable and have specific drilldown actions most are equal for all event types but there are a few specific ones.
| field name | action | description |
|---|---|---|
| _time | whitelist | This will open the event type specific whitelist editor and fill it with the relevant fields |
| ID | MITRE technique | This will navigate to this specific ATT&CK technique description in the framework |
| Technique | MITRE technique | This will navigate to this specific ATT&CK technique description in the framework |
| Category | category | This will navigate to this specific Category overview in the framework |
| host_fqdn | computer drilldown | This will open the Computer Drilldown dashboard, which will show all indicators for that host |
| user_name | user drilldown | This will open the User Drilldown dashboard, which will show all user interactions |
| process_parent_guid | ParentProcess Drildown | This will open the ParentProcess GUID drilldown and search for the clicked guid |
| process_guid | Process Drildown | This will open the Process GUID drilldown and search for the clicked guid |
| hash_256 | Virustotal | This will search for the clicked hash on VirusTotal |
| src_ip | network drilldown | This will open the Network Drilldown dashboard and search for the clicked IP address |
| dst_ip | network drilldown | This will open the Network Drilldown dashboard and search for the clicked IP address |
| all other fields | table default action | This will open the ParentProcess or Process GUID drilldown depending on the event type |