Analysis Using the Correlation Graph | Trend Micro Service Central

Views:

Open the Correlation Data screen from Deep Discovery Director to see the Correlation Graph for the selected event.

The Correlation Graph is a visual representation of correlations made between the trigger event selected in Deep Discovery Director and other related events as they occurred over time.

From the main screen, perform initial analysis:

Element in Correlation Graph
Figure 1. Playback Bar / Time Slider Click on the playback bar to view the time line for the correlated events. Deep Discovery Director - Network Analytics draws the oldest correlation event first and continues through to the latest correlation. Use the time line sliders to view correlated events over a selected time frame. The graph displays only the correlations within the selected time frame. Adjust the time frame by clicking on the left and right grab bars on the time line and dragging them to the desired location. To move the entire time frame, click inside the current time frame and drag the frame toward the left or the right. The correlations displayed in the graph (and resultant transaction details) change according to event data found within the selected time frame.
Click on the filter icon () located next to the Playback Bar to display or hide the advanced search filter. Use the advanced search filter to create and apply customized searches. For details, see Correlation Graph Advanced Search Filter.
Correlation Line Each correlation graph contains one or more correlation lines that correlate malicious or suspicious activity between a source and destination. Each correlation line represents one or more transactions between two hosts. The thickness of the line is proportional to the number of transactions occurring between the hosts. Correlation lines can be between an internal host and external server or between two internal hosts (lateral movement). Each correlation line is labeled with the protocols used in transactions between the hosts. An arrow within the correlation line indicates the direction of the transactions, from source to destination. Correlation lines involving email senders are labeled as Suspicious Email Activity.
Internal hosts Internal hosts are identified by IP address; the host name and logged on user are also supplied if known. Icons representing relevant information might be displayed next to an internal host. For example, if the internal host is on the priority watch list or on a registered service list, the graph displays the appropriate icon. Hover over the downward triangle icon () located next to each internal host and external server to view a list of additional actions you can perform for that host. Copy to clipboard: Copy the value to your clipboard. View network detection events: Open the Network Detections screen in a new browser tab with filters matching this object applied. Deep Discovery Director attempts to retrieve an endpoint analysis report for hosts on the priority watch list and for the host that is the Interested IP in the trigger event. If there is a report, the icon is located beneath the internal host. Click on the Endpoint Analysis Report icon () to open the report provided by Apex Central. Note: Deep Discovery Director must be integrated with Apex Central before the Endpoint Analysis Report icon becomes available in the correlation graph. For details, see Configuring Apex Central Settings.
External servers External servers are identified by IP address; the domain name is also supplied if known. Email senders are identified by email address and are always displayed at the top of the External Servers side. Other relevant information might be displayed for external hosts. Hover over the downward triangle icon () located next to each external server to view a list of additional actions you can perform for that host. Copy to clipboard: Copy the value to your clipboard. View network detection events: Open the Network Detections screen in a new browser tab with filters matching this object applied. Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object. DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain. VirusTotal: Open VirusTotal in a new browser tab with a query for this object.
Special Icons Additional icons provide information about elements in the correlation graph. Priority Watch List icon: Endpoint Analysis Report icon: Deep Discovery Director attempts to retrieve an endpoint analysis report for hosts on the priority watch list and for the host that is the Interested IP in the trigger event. If there is a report, the icon is located beneath the internal host. Deep Discovery Director (Consolidated Mode) retrieves the report from Apex Central, which is integrated with Apex One. Apex One provides the endpoint sensor feature. There are several statuses for retrieving the report:
Legend Provides a list of icons used in the correlation graph, including the following: The color of the correlation line for the interested host Whether the graph contains hosts on the priority watch list Registered services icons indicating that the hosts in the graphs are members of that list Figure 2. Legend
Interested Host Represents the focal point of this correlated event. The interaction is generally between an internal host and external server and is identified by the yellow line connecting the source and destination. Note: Suspicious Object detections selected from Deep Discovery Director generally do not generate a Interested Host correlation.
Activity Legend Identifies key activities for the internal host and external server participants in the graph. Activities vary for each specific correlation graph. Can include activities similar to the following: Brute Force Authentication, C&C Callback, Data Exfiltration, Lateral Movement, Malicious Transfer, Other Malicious Activities, and Vulnerability Exploit. Some activities correspond to "Reason" in Deep Discovery Inspector logs.
Participant Icons You can determine the activities in which each internal host or external server participated by checking the presence of an icon in the corresponding activity column. Hover over an internal host or external server to see the activities in which they are participants highlighted in blue.

Element in Correlation Graph

Figure 1. Playback Bar / Time Slider

Click on the playback bar to view the time line for the correlated events. Deep Discovery Director - Network Analytics draws the oldest correlation event first and continues through to the latest correlation.

Use the time line sliders to view correlated events over a selected time frame. The graph displays only the correlations within the selected time frame.

Adjust the time frame by clicking on the left and right grab bars on the time line and dragging them to the desired location.
To move the entire time frame, click inside the current time frame and drag the frame toward the left or the right.
The correlations displayed in the graph (and resultant transaction details) change according to event data found within the selected time frame.

Click on the filter icon () located next to the Playback Bar to display or hide the advanced search filter.

Use the advanced search filter to create and apply customized searches.

For details, see Correlation Graph Advanced Search Filter.

Correlation Line

Each correlation graph contains one or more correlation lines that correlate malicious or suspicious activity between a source and destination.

Each correlation line represents one or more transactions between two hosts.
The thickness of the line is proportional to the number of transactions occurring between the hosts.
Correlation lines can be between an internal host and external server or between two internal hosts (lateral movement).
Each correlation line is labeled with the protocols used in transactions between the hosts. An arrow within the correlation line indicates the direction of the transactions, from source to destination.

Correlation lines involving email senders are labeled as Suspicious Email Activity.

Internal hosts

Internal hosts are identified by IP address; the host name and logged on user are also supplied if known.

Icons representing relevant information might be displayed next to an internal host. For example, if the internal host is on the priority watch list or on a registered service list, the graph displays the appropriate icon.
Hover over the downward triangle icon () located next to each internal host and external server to view a list of additional actions you can perform for that host.
- Copy to clipboard: Copy the value to your clipboard.
- View network detection events: Open the Network Detections screen in a new browser tab with filters matching this object applied.
Deep Discovery Director attempts to retrieve an endpoint analysis report for hosts on the priority watch list and for the host that is the Interested IP in the trigger event. If there is a report, the icon is located beneath the internal host. Click on the Endpoint Analysis Report icon () to open the report provided by Apex Central.
Note:
- Deep Discovery Director must be integrated with Apex Central before the Endpoint Analysis Report icon becomes available in the correlation graph.
  
  For details, see Configuring Apex Central Settings.

External servers

External servers are identified by IP address; the domain name is also supplied if known.

Email senders are identified by email address and are always displayed at the top of the External Servers side.

Other relevant information might be displayed for external hosts.
Hover over the downward triangle icon () located next to each external server to view a list of additional actions you can perform for that host.
- Copy to clipboard: Copy the value to your clipboard.
- View network detection events: Open the Network Detections screen in a new browser tab with filters matching this object applied.
- Threat Connect: Open Trend Micro Threat Connect in a new browser tab with a query for this object.
- DomainTools (WHOIS): Open DomainTools in a new browser tab with a query for this IP address or domain.
- VirusTotal: Open VirusTotal in a new browser tab with a query for this object.

Special Icons

Additional icons provide information about elements in the correlation graph.

Priority Watch List icon:
Endpoint Analysis Report icon:

Deep Discovery Director attempts to retrieve an endpoint analysis report for hosts on the priority watch list and for the host that is the Interested IP in the trigger event. If there is a report, the icon is located beneath the internal host.

Deep Discovery Director (Consolidated Mode) retrieves the report from Apex Central, which is integrated with Apex One. Apex One provides the endpoint sensor feature.

There are several statuses for retrieving the report:

Legend

Provides a list of icons used in the correlation graph, including the following:

The color of the correlation line for the interested host
Whether the graph contains hosts on the priority watch list
Registered services icons indicating that the hosts in the graphs are members of that list

Figure 2. Legend

Interested Host

Represents the focal point of this correlated event.

The interaction is generally between an internal host and external server and is identified by the yellow line connecting the source and destination.

Note:

Suspicious Object detections selected from Deep Discovery Director generally do not generate a Interested Host correlation.

Activity Legend

Identifies key activities for the internal host and external server participants in the graph.

Activities vary for each specific correlation graph.
Can include activities similar to the following: Brute Force Authentication, C&C Callback, Data Exfiltration, Lateral Movement, Malicious Transfer, Other Malicious Activities, and Vulnerability Exploit.
Some activities correspond to "Reason" in Deep Discovery Inspector logs.

Participant Icons

You can determine the activities in which each internal host or external server participated by checking the presence of an icon in the corresponding activity column.

Hover over an internal host or external server to see the activities in which they are participants highlighted in blue.