Analysts in a SOC use many different tools on a daily basis. When hunting for security incidents, the analyst needs to be able to quickly access all of the data that is available to them from their various tools in a way that does not take them out of the hunt. This becomes the analyst's workflow. And like any high-performing employee, SOC analysts are always looking for ways to improve their workflow and become more efficient. This is where Clear NDR™ steps in, with the addition of Contextual Deep Linking.
What is Contextual Deep Linking?
Using Contextual Deep Linking, a call can be made from Clear NDR to query other third-party tools based on Clear NDR metadata. IP addresses, Hostnames, Ports, Usernames, MITRE tactics, and more can be used for this linking. This allows an analyst to quickly get more context around an event by right clicking with their mouse and making a request to an outside data source. Because you can choose any or all of the Clear NDR metadata, you will only see deep link options that are relevant to the metadata chosen. It should also be noted that third-party tools can deep link into Clear NDR. This allows for the customization of the workflow to match the analyst's preferences.
Examples of Contextual Deep Linking
Let's imagine an analyst starts an investigation into an incident within Clear NDR. This could be the investigation of a Declaration of Compromise (DoC) or a hunting exercise. Within the Clear NDR interface there is a lot of correlation and contextual data provided to the analyst. However, in the investigation workflow, there might be a need to dig deeper into context that is not primarily network information. An example of this might be going deeper into domain information than it being newly registered or seen for the first time in the environment. The analyst workflow could have a step to check that domain in a DNS, DHCP, and IPAM (DDI) tool such as Infoblox. If a domain is seen that is interesting, then using a quick right click on the mouse can take you into another data source - such as Infoblox - to get a quick view of their multi-sourced intelligence. The following screen shot shows the data filtered down to two sessions with an interesting DNS name: eu.minerpool.pw.
The options from the configurable deep link menu can be seen with Infoblox BloxOne Dossier being one of the options.
Once clicked, the screen showing the information in Infoblox is opened in a new tab with the information about eu.minerpool.pw.
This has given the analyst more information about the domain in question in a workflow that does not require manually opening up different tools to find the desired data.
How to Configure Contextual Deep Linking
From the main Clear NDR screen there is a link under ADMINISTRATION that is labeled “External links”. This leads to the configuration page for the deep linking functionality.
This will bring up the configuration menu where you can name the deep link action, provide the URL for the deep link, and specify what meta to show under. By default the new deep link will be shown with all meta.
When you select “Only show template for selected entities” you can choose one or more meta categories that will show the deep link when right clicked.
The deep links and the metadata that they are related to will be shown in the “External links” administration menu after they have been created.
This intuitive interface allows for easy tracking and updating of deep links that are in use.
Conclusion
Deep Linking allows for an analyst to incorporate many data sources into a coherent workflow. This reduces the amount of time that it takes to investigate an issue because all the tools needed in the workflow are readily available. Bringing security tools together allows SOC workflows to focus on the data needed to understand an incident seamlessly while still being able to use the rich feature set of individual tools. Giving analysts easy access to the data needed during an investigation allows them to get the most out of SOC investments. Clear NDR™ Contextual Deep Linking helps facilitate this seamless workflow.
To stay updated with new blog posts from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
