Investigation: How Investigation Works

Document created by RSA Information Design and Development Employee on May 5, 2016Last modified by Susan Ewald on May 5, 2016
Version 5Show Document
  • View in full screen mode

The Investigation module provides the data analysis capabilities in Security Analytics, to that analysts can analyze data and identify possible internal or external threats to security and the IP infrastructure.

Data and Metadata for Investigation

Security Analytics audits and monitors all traffic on a network. In the RSA network, Decoders ingest, parse, and store the packets and logs traversing the network. Concentrators store the metadata that is generated by the parsers and feeds as Decoders ingest packets and logs. In the majority of environments all queries from Investigation, Event Stream Analysis (ESA), Malware Analysis (MA), and Reporting Engine (RE) are processed on the Concentrator. The analyst's first interaction is with the metadata, and the Concentrator handles most queries, only going to the Decoder when a full reconstruction of sessions or raw logs is required. ESA, Malware Analysis, and Reporting Engine also query the Concentrator, where they can quickly get all the pertinent metadata associated with an event and generate information on it without having to go to each Decoder.

Note: While a hybrid appliance can perform the Concentrator function, a separate Concentrator appliance is required for any large environment that needs greater bandwidth or events per second (EPS). The Concentrator appliance has storage layout that uses solid state drives for the index, which increases read performance.

Analysis Methods

Analysts can investigate captured data, open query results from other Security Analytics modules in an investigation, and import data from other collection sources. During the course of an investigation, analysts can move seamlessly between the three views in Investigation: Navigate view, the Events view, and the Malware Analysis view.

Note: Specific user roles and permissions are required for a user to conduct investigations and malware analysis in Security Analytics. If you cannot perform an analysis task or see a view, the administrator may need to adjust the roles and permissions configured for you.

Analysts use Investigation to hunt for incidents to drive their workflow or to do strategic analysis after another tool has generated an event. In both cases, the analyst drills or pivots into the metadata to filter the number of logs and packets and see suspicious events, while focusing on certain combinations of metadata that lead to incident.

Navigate View

The Navigate view provides the capability to drill into and query data on a Security Analytics service. Every situation is unique in terms of the types of information the analyst is attempting to find. Investigation presents the contents of captured packets or logs as a collection in the Navigate view. The defined meta keys are queried, and values are returned along with the number of sessions. Clicking on a value at any given level, reveals the results in detail.

For example, if there is a concern regarding suspicious traffic with foreign countries, the Destination Country meta key reveals all destinations and the frequency of the contact. Drilling into those values yields the specifics of the traffic, such as the IP address of the originator and the recipient. Checking other metadata can expose the nature of attachments exchanged between the two IP addresses. Event reconstruction can reveal the content of any conversations.

Events View

The Events view provides a view of events in list form so that you can view events and reconstruct events safely. You can open the Events view for a meta value in a current drill point from the Navigate view. For analysts without sufficient privilege to navigate a service, the Events view is a standalone investigation view in which analysts can access a list of network and log events from a Security Analytics Core service without having to drill down through meta first.

The Events view presents event information in three standard forms, a simple grid listing of events, a detailed listing of events, and a log view. In addition to the standard forms, you can create a custom column group of selected meta keys, then assign the custom column group to a custom profile for viewing the events list. Once created, custom column groups and profiles are selectable from a drop-down list.

In the Events view, you can:

  • Reconstruct an event from the event list.
  • Use Investigation Profiles to tie together various Investigation settings into selectable sets, import and export Investigator meta groups, import and export Investigator column groups.
  • Export events and associated files.

Malware Analysis View

The Malware Analysis view provides a means to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. The malware analyst can leverage the multilevel scoring modules to prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious.


You are here: Investigation: How Investigation Works