ArcSight Investigate 2.20 release is all about empowering SOC analysts of all expertise levels to elevate their efficiency, expose overlooked indicators of compromise, and respond easier and faster to threats. The two primary features added in this release are DNS Analytics and Security Orchestration and Incident Response (SOAR) integrations.
When it comes to inspecting DNS data, too often it just doesn’t happen due simply to the fact that it can be difficult to gain any value from the inspection of the massive volumes of associated data. To address this challenge, DNS Analytics in Investigate 2.20 gives you pre-built dashboards and visualizations specifically designed to drive and facilitate your hunt and analysis efforts on DNS data. It leverages Forbidden Trigram Analysis of the data stream at time of collection to quickly detect communications between hosts that have been communicating with domains that were likely algorithm generated. Since such communications are indicators that a host has likely been compromised, this capability in Investigate makes it easier and faster to find the existence of compromised hosts and bad actors that often go undetected within DNS data sets. And with its drilldown visuals you can gain quick insights into that often undetected activity.
Another new feature in Investigate 2.20 designed to aid the ease, efficiency, and speed of response for SOC analysis is the integration with leading SOAR platforms, including Siemplify, Demisto, and Micro Focus Operations Orchestration. While SOAR solutions can automate and expedite your response to discovered threats with prebuilt playbooks and scripts, this integration makes it faster and easier to respond right from within Investigate.
For example, when you discover a threat using Investigate, using this integration a simple right-click can bring up a list of potential responses that the SOAR platform can execute for remediation. Maybe it’s to shut down a machine, change a firewall configuration to block traffic, gather additional intelligence, or execute a predefined script. Whatever the response is, your analyst can execute it without ever leaving the Investigate interface, without administrator privileges to compromised systems, and without script development expertise. SOAR integration in Investigate shields both novice and sophisticated analysts from the complexities of remediation, enabling them to respond with greater ease, efficiency, and speed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.