Follow

Triage Actions and Applicability

Questions addressed in this article:

  • What are the different types of Triage Actions?
  • When should an Analyst use each one, and why? 

When a Security Analyst reviews a detection and determines it is benign, the detection can be triaged in one of four ways:

  • Create Custom Filter
  • Create Whitelist Filter
  • Mark as Custom
  • Mark as Fixed

Each of these are explained below.

Create Custom Filter

The ‘Create Custom Filter’ action is recommended when the analyst determines the reported behavior is benign and should no longer be scored, but would still like to see the report of this behavior in the UI.   The filter will also apply automatically to new occurrences of the detection, matching the defined conditions.  An example of a ‘Custom Filter’ looks like this:

mceclip0.png

Once a detection is triaged by a ‘Custom Filter’, the detection no longer displays a score as shown below. In addition, the detection is renamed based on the name the Analyst designated. The original detection name is displayed on the left side of the page.

mceclip1.png

Manage/Triage Filters

All Triage Filters can be managed (edit/delete) on the Manage > Triage Filters page of the UI.  When deleting a Triage Filter, the Analyst has the two options shown below:

mceclip2.png

Create Whitelist Filter

This action is recommended when the analyst determines the reported behavior is benign and does not want to see any further report of this behavior.  When applying a Whitelist, the Analyst has the option to apply conditions to make the whitelist criteria broad or specific as desired. The Threat and Certainty scores for all detections that meet the Whitelist Criteria will be removed when the Whitelist is applied.

Example of a Whitelist Filter:

mceclip3.png

When a detection is whitelisted, it will no longer appear in the UI.

General recommendation : whitelisting is not recommended

In general, Vectra recommends Analysts use Create Custom Filter rather than Create Whitelist Filter.

Mark as Custom

Mark as Custom is recommended when the analyst determines this single instance of the reported behavior/detection is benign and should no longer be scored, but would still like to see the report of this behavior in the UI.  Future matches for the original detection model in scope, will be reported as such and won’t be automatically marked as Custom.

‘Mark as Custom’ workflow:

mceclip4.png

Once a detection is Triaged by a ‘Mark as Custom’ action, the detection score remains in the detection view for reference, but it is greyed out and a ‘Triaged’ identifier is displayed.  The overall host score and detection profile will NOT be influenced by the score shown for Custom marked detections. In addition, the detection is renamed based on the name the analyst designated. The original detection name is displayed on the left side of the page.

Result of the Action:

mceclip5.png

The host page will continue to display the detection with a “Custom” checkmark indicator, but will show ‘—‘ for the Threat and Certainty scores. An example is shown below.

mceclip6.png

Incorrectly applied ‘Mark as Custom’ actions still can be undone leveraging the ’Triage (Applied)’ menu inside the detection.  You would select ‘Restore to Original Detection’ to restore the detection to its original state, as shown below:

mceclip7.png

Mark as Fixed 

This action is recommended when the Analyst has taken action to rectify the issue that caused the detection. When the detection is marked as fixed, the detection score remains in the detection view for reference but it is greyed out and a ‘Fixed’ identifier is displayed. An example is shown below.

mceclip0.png

The host page will also continue to display the detection with a “Fixed” checkmark indicator. The overall host score will NOT be influenced by the score shown for fixed detections. An example is shown below. 

mceclip1.png

Incorrectly applied ‘Mark as Fixed’ actions still can be undone leveraging the ’Triage (Applied)’ menu inside the detection.  You would select ‘Unmark as Fixed’ to restore the detection to its original state.

mceclip2.png

Hosts with overall Threat and Certainty scores of 0

Hosts with overall Threat and Certainty scores of 0 are considered Inactive and will only show up on the main Hosts page if the Analyst performs a search for Inactive Hosts. An example is shown below.

mceclip3.png

Note

More detailed information also can be found in this article:

https://support.vectranetworks.com/hc/en-us/articles/360000753994-Using-Cognito-Triage-UPDATED-

Was this article helpful?
1 out of 2 found this helpful

Download PDF

0 Comments

Article is closed for comments.