Bricata Product Tour
Investigation Scenario: Malware Alerts
Responding to Malware Alerts
See how Bricata’s platform makes it simple to get direct answers for alerts and protect network environments in real-time.
Click NEXT to start the product tour.
The search identifies two clusters of alerting that contain malware.
Selecting the lower alert group that shows an external source (Germany) gives a more detailed view.
Drilling into this view shows a Summary Timeline of all alerts in the cluster.
We can look at those individual alerts by clicking See Group Alerts.
These alerts tell a pretty clear story of a potentially malicious file being downloaded from an external website.
- Signatures identifying the suspicious download have alerted 3 times
- …and Bricata has extracted the file and determined it is ‘Suspected Malware’
We can look at the individual alert by clicking Suspected Malware.
Every Bricata alert contains rich context – this view provides the details about hosts, methods, file hashes and other salient features.
Clicking on the Malware Tab lets us investigate the file content itself.
The Malware Tab provides details on the machine learning score used to determine whether this file contains malicious characteristics and the potential types of threats within the file.
We can view the network activity tied to this event by clicking the Metadata Tab.
After a quick review of the Metadata, this alert suggests we need to look into this host’s interactions with toptrends.org.
Clicking the Hunt button lets us directly hunt for other events tied to this source.
The ‘Hunt’ Metadata View allows us to instantly see everything the impacted host has been doing.
- This host is generating a large number of alerts. What other systems is it communicating with?
- Should we be worried about lateral movement or malware propagation from this host?
Applying Groups to the view lets us quickly group large volumes of metadata.
The Response Hosts and Services used in communications with the suspect system gives us no reason to think this host is propagating malware laterally…phew!
We’ll leave a note to escalate this to IR and find another investigation to start by clicking back into the Alert View.
We have two ways to do this:
- Leave detailed notes within the alert itself, or
- Use a custom Bricata tag to indicate these alerts need attention from the IR Team
Clicking the IR-Target tag links this alert to that team.