Investigation: Malware Analysis View

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode
 

Within Security Analytics Investigation, the Malware Analysis view provides the user interface for conducting a malware analysis. The Malware Analysis view is in the form of a customizable dashboard, in which default dashlets in the initial view are based on the user role (Administration or Analyst) and user customizations. Initially, the Summary of Events dashlet is displayed in the Malware Analysis view. Additional dashlets present different visualizations of the events being viewed, and each representation is configurable to further refine your view as you search for Indicators of Compromise. The Malware Analysis dashlets available in the Security Analytics Dashboard are also available in the Malware view.

To access this view:

  1. In the Security Analytics menu, select Investigation > Malware Analysis.
    If a default service has not been selected, the Select a Malware Analysis Service dialog is displayed.
  2. Select a service, then click View Continuous Mode.
    The Malware Analysis view is displayed.

MwSumVw.png

Features

The Malware Analysis view consists of the Summary of Events panel and four dashlets unique to this view. Each of the unique dashlets have identical Options dialogs. The Malware Analysis dashlets in the Security Analytics dashboard are also available, and are described in Dashlets in the Getting Started with Security Analytics guide.

Summary of Events Panel

In the Summary of Events panel, you can select the service, the scan mode, and the time range. In addition, you can select a data point and view the events associated with the event.

The following table describes all features in the Summary of Events panel.

                               
ParameterDescription
ServIcon.pngSelects a service to display.
Scan ModeDisplays a drop-down list of available scan modes.
Time RangeDisplays a drop-down list of time ranges to view events.
Start DateWhen Time Range is set to custom, offers a calendar from which to choose the start date of the time range.
End DateWhen Time Range is set to custom, offers a calendar from which to choose the end date of the time range.
Add iconDisplays a drop-down list of dashlets you can add to the view.
actions_button.pngDisplays a drop-down list of actions you can perform in this view:
  • Restore Default Configuration
  • Order Dashlets
  • Apply Threshold Filter
Refresh_Icon.pngRefreshes the Malware Analysis view.

Options Dialog

In the Options dialog, you can customize the results displayed in the dashlet. This dialog can be accessed by clicking the properties icon.png icon in the top right corner of each dashlet. The following table describes the features of the Options dialog.

                    
ParameterDescription
TitleIndicates whether the data shown is restricted to events flagged as high confidence or not. If the data is not restricted, this line will not be displayed.
Influenced By High Confidence OnlyIndicates whether the data shown is restricted to events flagged as high confidence.
Static, Network, Community, SandboxAllows you to filter results based on the scores in the scoring modules.
CancelCloses the dialog without saving any changes.
ApplyApplies changes to the dashlet immediately and closes the dialog.

Meta Breakdowns

Meta Breakdowns presents events in the form of a pie chart, with each slice representing a meta value for the specified meta key. You can select the meta key and the count of meta values for that key to render in the chart, starting with the meta value having the most events. Hovering over an event displays the count.

MWAMetaBD.png

The following table describes the options in the Meta Breakdowns dashlet.

                
ParameterDescription
High Confidence OnlyIndicates whether the data shown is restricted to events flagged as high confidence or not. If the data is not restricted, this line will not be displayed.
Meta Key Drop-down list of available meta keys.
CountDrop-down list specifying how many of the top results are displayed. 

Meta Treemap

Meta Treemap presents events in the form of a heat map. You can select the meta key and the count of meta values for that key to render in the chart, starting with the meta values having the most events. In addition, you can select the module that detected the meta value in the events: static, network community, or sandbox.

MWAMetaTM.png

The following table describes the options in the Meta Treemap dashlet.

                      
ParameterDescription
High Confidence OnlyIndicates whether or not the results are restricted to events flagged as high confidence or not. If the results are not restricted, this line will not be displayed.
Meta KeyDrop-down list of available meta keys to select as a filter.
CountDrop-down list specifying how many of the top results are displayed.
ModuleDrop-down list specifying which module results will be pulled from.
ValueDrop-down list specifying what information will be displayed when the mouse is hovering over a result (for example, Average Score).

Score Wheel

The Score Wheel offers a view of events as concentric rings with colors representing scores for events based on Indicators of Compromise and the scoring module. You can arrange the position of the rings using the Up and Down arrows to obtain a view that highlights events that were detected by one scoring module (red) and not detected by other scoring modules.

MWAScrWhl.png

The following table describes the features of the Score Wheel dashlet.

             
ParameterDescription
High Confidence OnlyIndicates whether or not the results are restricted to events flagged as high confidence or not. If the results are not restricted, this line will not be displayed.
Module Order gridDisplays the order of the rings in Score Wheel, Ring 1 being the innermost ring and Ring 4 being the outermost ring. You can click the Up and Down buttons to reorder the modules, then click Update to apply the changes.

Event Timeline

The Event Timeline offers a view of events organized by the time of occurrence in a bar graph. Clicking and dragging to select a time range within the chart zooms in on the selected time.

MWAEvTL.png

The following table describes the features of the Event Timeline dashlet.

             
ParameterDescription
High Confidence OnlyIndicates whether or not the results are restricted to events flagged as high confidence or not. If the results are not restricted, this line will not be displayed.
View EventsDisplays the Investigation > Events view.
You are here: Investigation Reference Materials > Malware Analysis View

Attachments

    Outcomes