Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

ArcSight Investigate 2.20 – What’s New – DNS Analytics and SOAR Integration

tammy.torbert@h1 Honored Contributor.
Honored Contributor.
0 0 2,024

ArcSight Investigate 2.20 release is all about empowering SOC analysts of all expertise levels to elevate their efficiency, expose overlooked indicators of compromise, and respond easier and faster to threats. The two primary features added in this release are DNS Analytics and Security Orchestration and Incident Response (SOAR) integrations.

ArcSight Investigate 2.20.jpgWhen it comes to inspecting DNS data, too often it just doesn’t happen due simply to the fact that it can be difficult to gain any value from the inspection of the massive volumes of associated data. To address this challenge, DNS Analytics in Investigate 2.20 gives you pre-built dashboards and visualizations specifically designed to drive and facilitate your hunt and analysis efforts on DNS data. It leverages Forbidden Trigram Analysis of the data stream at time of collection to quickly detect communications between hosts that have been communicating with domains that were likely algorithm generated. Since such communications are indicators that a host has likely been compromised, this capability in Investigate makes it easier and faster to find the existence of compromised hosts and bad actors that often go undetected within DNS data sets. And with its drilldown visuals you can gain quick insights into that often undetected activity. 

Another new feature in Investigate 2.20 designed to aid the ease, efficiency, and speed of response for SOC analysis is the integration with leading SOAR platforms, including Siemplify, Demisto, and Micro Focus Operations Orchestration. While SOAR solutions can automate and expedite your response to discovered threats with prebuilt playbooks and scripts, this integration makes it faster and easier to respond right from within Investigate. 

For example, when you discover a threat using Investigate, using this integration a simple right-click can bring up a list of potential responses that the SOAR platform can execute for remediation. Maybe it’s to shut down a machine, change a firewall configuration to block traffic, gather additional intelligence, or execute a predefined script. Whatever the response is, your analyst can execute it without ever leaving the Investigate interface, without administrator privileges to compromised systems, and without script development expertise. SOAR integration in Investigate shields both novice and sophisticated analysts from the complexities of remediation, enabling them to respond with greater ease, efficiency, and speed. 

To experience how Investigate can enhance your hunt analysis and response, contact your Micro Focus sales rep or visit our ArcSight Investigate website for a demo.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.