Analyzing context

Overview

Use context analyzer to help determine what normal looks like in your environment. It provides a baseline that you can use to detect anomalies against. Use context analyzer to reduce false positives and benign investigative leads by determining the significance of a particular artifact. If a file or process is a common occurrence, it is likely benign. However, if it represents a rare occurrence, it might be indicative of an issue that requires further investigation. Context analyzer is the first step in helping you gather actionable data quickly and accurately about the normal state of an environment. By understanding the typical patterns in a digital environment, you can better focus on anomalies that might pose a true threat.

Context analyzer provides visibility into the most recent activity for processes, files, IP addresses, and process hashes across all online endpoints. Using both file at rest (Index) and historical (Recorder Database) data, context analyzer displays a visual summary of the data followed by a searchable details grid. A sampling of the most recent data from each endpoint is provided, which attempts to prioritize outliers on each endpoint.

Context analyzer queries all files at rest and historical data across every online endpoint, visualizes that data and provides “context” for how an artifact appears in an environment. Such context helps answer questions such as: “Is this artifact normal in my environment?” “Does it exist across just a few or thousands of endpoints?”, “Which users are typically associated with this artifact?", "Does this artifact have the same hash everywhere, or are their many different hashes?", and "Are there any obvious outliers associated with this artifact?".

When you query an artifact, the endpoints that you target return the most recent data available for each artifact. Each endpoint provides responses grouped according to hash, path, operating system, endpoint, and user. Context Analyzer automates the searching for you and returns results received at 95% completion or a maximum of four minutes.

As context analyzer focuses on the most recent activity for an artifact it is important to understand that it works best at identifying the “normality” of an artifact in an environment, and when searching for unique outliers across an enterprise. Context analyzer is not suited for attempting searches such as finding the single outlier in 1000 similar events on a single endpoint. Live Connect and sensors are still often best for that type of analysis or investigation. Context analyzer does not take the place of deployed Intel documents when you need the assurance of artifact existence or non-existence across an entire environment.

Full file path searches are not currently supported.

Example use cases

Example (A): UserA was executing process svcapp-init.exe on this endpoint. Context analyzer can tell you if this process is common across the environment and which users are typically running it.

Example (B): A powershell executable is found in what looks like a non-standard directory. Context analyzer can show you if this path is commonly used anywhere else for this binary, does this binary have a hash in common with other powershell binaries or is this hash unique, is this associated with any particular operating system, if it is being run frequently across the enterprise, and which users are running it.

Example (C): You are creating a new Intel document to help you detect a potential threat. Using context analyzer, you can quickly determine how common a file, hash, process name, or IP address is in the environment and if it would cause an excessive amount of false positive alerts.

Time filters can be very useful in the combined view; however, you might need a very short window due to the quantity of events.

Analyze the context of artifacts

  1. Select artifacts to examine from the Gather Samples bar on the Threat Response Context Analyzer page. Select one of the following values, provide an artifact of interest, select the computer groups to examine and click Search.
    • File Name - File Name analysis supports any text, Full file path searches are not currently supported.
    • Hash - Hash analysis does not support special characters.
    • IP Address- IP Address analysis supports valid IPv4 or IPv6 address forms.
    • Process Name - Process Name analysis supports any text.

      • The search terms that you use are literal terms. Regular expressions and wildcards are not supported.

  2. The Details section provides a list view of the endpoints on which a match has occurred. You can open a direct connection to the endpoint on which the match occurs. After opening a direct connection to an endpoint from a context analyzer result, the workbench displays all events that happened within one minute of the timestamp of the initially selected event.

Users who are assigned the Threat Response Read Only User role must have the Interact Ask Dynamic Question permission to use Context Analyzer.