Reviewing the Correlation Data Summary

The Correlation Data Summary section provides a high-level overview of the malicious activity, risk level, and risk analysis of the correlation data for the correlation event or suspicious object selected from Deep Discovery Director.

  1. Review the risk and activity summary.

    The summary provides the following information:

    Risk summary

    • The attack pattern for the correlated event or suspicious object selected in Deep Discovery Director.

    • Risk assigned by Deep Discovery Director - Network Analytics to the event and related correlations.

      Deep Discovery Director - Network Analytics uses a number of factors to assign risk, including proprietary risk analysis.

    Activity summary

    • Identifies which hosts are involved in the suspicious or malicious activity.

      Activity might be between internal hosts and external servers or might include lateral activity between internal hosts.

      Internal hosts are defined by the Trusted Internal Networks list that you configured during setup. For Deep Discovery Director - Network Analytics to provide an accurate analysis of correlation data, it is important to enter your internal networks and hosts in the Trusted Internal Networks list.

    • Identifies the malicious activities found in the correlation data.

    • Identifies protocols involved in the transactions that are part of the correlation data.

    • Can include information about additional hosts that participated in the suspicious activity.

    • Can include information about suspicious objects when viewing correlation data for suspicious objects.

    • Each unique summary is generated from the dynamically created data in the Correlation Data screen.

  2. Review more detailed summary data by clicking on Show detection history.

    The detection history provides the following information:

    Start IP address

    • Displays the IP address found in the Interested IP field of the correlated event selected in Deep Discovery Director

    • The detection history for suspicious objects does not contain a start IP address entry.

    Summary details

    • Summary details shown are log event entries sent by Deep Discovery Inspector for correlated events.

    • Summary sections can include log event entries such as the following:

      • Intelligence Gathering

      • Point of Entry

      • Command and Control Communications

      • Asset and Data Discovery

      • Lateral Movement

      • Data Exfiltration

  3. Click on Hide detection history to hide the detailed summary information.