Analysis Using the Correlation Data Graph

Open the Correlation Data screen from Deep Discovery Director to see the Correlation Data Graph for the selected event.

The Correlation Data Graph is a visual representation of correlations made between the correlated event or suspicious object selected in the Deep Discovery Director and other related events as they occurred over time.

From the main screen, perform initial analysis:

Element in Correlation Data Graph

Figure 1. Playback Bar

Click on the playback bar to view the time line for the correlated events. Deep Discovery Director - Network Analytics draws the oldest correlation event first and continues through to the latest correlation.

Correlation Line

  • Each correlation graph contains one or more correlation lines that correlate malicious or suspicious activity between a source and destination.

  • Each correlation can be between an internal host and external server or between two internal hosts (lateral correlations).

  • For each internal host and external server, the host name is supplied if known.

    For internal hosts, the user name for that host is supplied if known.

  • The circular icon embedded in each line displays the number of transactions associated with each correlation.

  • The color of each circular icon represents the protocol used in the correlation.

Legend

Provides information about protocols used in correlation data transactions and other information such as the Detected Threat correlation line color and certain icons used in the graph such as the "Priority Watch List" icon.

Figure 2. Example: Legend

Detected Threat

Represents the correlated event selected in Deep Discovery Director.

The interaction is generally between an internal host and external server and is identified by the orange line connecting the source and destination.

Note:

Suspicious Object detections selected from Deep Discovery Director generally do not generate a Detected Threat correlation.

Activity Legend

Identifies key activities for the internal host and external server participants in the graph.

  • Activities vary for each specific correlation data graph.

  • Can include activities similar to the following: Lateral Activity, Detected Event, C&C Activity, and Malicious Download

  • Actions correspond to "Reason" in Deep Discovery Inspector logs.

Participant Icons

You can determine the activities in which each internal host or external server participated.

  • Participant icons indicate if an internal host or external server is a participant in a specific activity.

  • Hover over a internal host or external server to see the activities in which they are participants.

  • Also determine which internal hosts or external servers were the source or endpoint for an activity.

  • Participant:

  • Non-participant:

Correlation - Details Window

  • Hover over a correlation line to see more details about that correlation.

  • Details include:

    • Source IP, user name, and host name

    • Destination IP

    • Severity

    • Detected URLs and SHA1s (if any)

    • Protocols and number of transactions

    • Reason

      The listed reason corresponds to an activity in the Activity Legend.

    • Earliest date and latest date

Correlation - Transactions Details Window

You can view transaction details for a correlation.

  • For each interaction, the number of transactions between the source and end point is specified within the transaction number icon (color-coded for the protocol used for those transactions).

    Examples of transaction number icons: ,

  • Click on a transaction number icon to view details about all transactions for that correlation.

  • Oldest transactions are at the top of the page. If necessary, scroll down to see newer transactions.

  • Each transaction number in the list represents where the transaction falls in the time line for all transactions in the correlation data graph (including transactions from other correlation lines).

The transaction detail window provides the following information:

  • Source and destination for the correlation.

  • The number of transactions and protocol for the correlation.

  • Details for each transaction

    • Transaction number

    • Risk assigned to each transaction

    • Details specific to each protocol.

    • Date of each transaction

Additional Actions

You can click the plus-sign icon () located on the left-hand side of each internal host and external server to view a list of additional actions you can perform for that host.

Actions for Internal Hosts: View other correlations for this host

Actions for External Servers: Retrieve information for this external server from Threat Connect, VirusTotal, or Domain Tools

Special Icons

Additional icons provide information about elements in the correlation graph.

  • Member of Priority Server List:

  • Correlation event originated from an email:

    From the indicated host, a user clicked on a URL, downloaded a file, or performed a related action that triggered a correlated event in the correlation time line. A correlation line for the SMTP transaction containing malicious content is not present in the correlation data; however, the email icon indicates that a malicious email was the origin of the subsequent correlated event. For example, if a user receives an email with a link to a malicious URL but does not click on the link, a correlation is not triggered. If the user clicks on the malicious URL, an HTTP correlation is triggered.