Capture Client 3.7: Rapid Threat Hunting with Deep Visibility and Storylines
As a threat hunter, your main mission is to understand the behavior of your endpoints and to capture abnormal behavior with rapid mitigation actions. You need the ability to, with a single click, search your fleet for indicators such as those mapped by the MITRE ATT&CK framework. You also need the ability to automate threat hunts for known attacks according to your own criteria.
With SonicWall Capture Client’s new Storylines capability, you can do all this and more, faster than ever before. Let’s take a look.
What is a Storyline?
Capture Client’s Deep Visibility offers rapid threat hunting capabilities thanks to SentinelOne’s patented Storylines technology. Each autonomous agent builds a model of its endpoint infrastructure and real-time running behavior.
The Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events and other data with a single query.
With Storylines, Deep Visibility returns full, contextualized data — including context, relationships and activities — allowing you to swiftly understand the root cause behind a threat with one search.
The Storylines are continuously updated in real time as new telemetry data is ingested, providing a full picture of activity on an endpoint over time. This allows greater visibility, enables easy threat hunting and saves time.
Deep Visibility Comes with Ease of Use
Threat hunting in the Management console’s graphical user interface is powerful and intuitive. The Deep Visibility query language is based on a user-friendly SQL subset common on many other tools.
The interface assists in building the correct syntax by providing completion suggestions and a one-click command palette. This saves time and spares threat hunters — even those unfamiliar with the syntax — the pain of remembering how to construct queries.
A visual indicator shows whether the syntax is valid or not, eliminating time spent waiting for a bad query to return an error.
For example, users can search for a common “Living off the Land” technique by running a query across a 12-month period to return every process that added a net user:
(We also provide a great cheatsheet to rapidly power up your team’s threat hunting capabilities here.)
Use Case: Responding to Incidents
Suppose you’ve seen a report of a new Indicator of Compromise (IOC) in your threat intel feeds. Has your organization been exposed to it? With Storylines, you can quickly find out with a simple query across your environment. Here’s how:
In the Console’s Forensics view, copy the hash of the detection. In the Visibility view, begin typing in the query search field and select the appropriate hash algorithm from the command palette. Select or type =, then paste the hash to complete the query.
The results will show all endpoints that ever had the file installed. Constructing powerful, threat hunting queries is that simple, even for members of your team with little to no experience with SQL-style syntax.
Deep Visibility = Fast Results
Forget about using query time to grab a cup of coffee: Deep Visibility returns results lightning fast. And thanks to its Streaming mode, you can preview the results of subqueries before the complete query is done.
Deep Visibility query results show detailed information from all your endpoints, displaying attributes like path, Process ID, True Context ID and much more.
With Deep Visibility, you can consume the data earlier, filter the data more easily, pivot for new drill-down queries, and understand the overall story much more quickly than with other EDR products.
Quicker Query of MITRE Behavioral Indicators
Deep Visibility makes hunting for MITRE ATT&CK TTPs fast and painless. It’s as easy as entering the MITRE ID.
For example, you could search your entire fleet for any process or event with behavioral characteristics of process injection with one simple query:
IndicatorDescription Contains “T1055”
There’s no need to form separate queries for different platforms. With Deep Visibility, a single query will return results from all your endpoints regardless of whether they are running Windows, Linux or macOS.
Stay Ahead with Automated Hunts
Deep Visibility is designed to lighten the load on your team in every way, including giving you tools such as Watchlist, which allows you to set up and run custom threat hunting searches on your own schedule.
Creating a Watchlist is simplicity itself. In the Visibility view of the Management console, run your query. Then, click “Save new set,” choose a name for the Watchlist, and choose who should be notified. That’s it. The threat hunt will run across your environment at the specified timing interval and the recipients will receive alerts of all results.
With Storyline Automated Response (STAR) Custom Rules, you can save Deep Visibility queries or define new ones, let the queries run periodically and get notifications when a query returns results. This helps ensure your organization is secure regardless of whether you or your team are on duty.
Deep Insight at Every Level
Deep Visibility is built for granularity, allowing you to drill down on any piece of information from a query result.
Each column shows an alphabetical, filterable list of the matching items. Expanding the cell displays details; for most of these details, you can open a submenu and drill down even further. Or just use the selected details to run a new query.
Conclusion
As detailed in the 2022 SonicWall Cyber Threat Report, attacks of all types are on the rise. So it’s never been more important to proactively hunt for threats and find suspicious behaviors in its early stages — or to ensure your SOC has the tools to be as agile and efficient as possible.
SentinelOne’s Deep Visibility capabilities are available with Capture Client Premier. Click here for a free trial of Capture Client to see how Deep Visibility’s ease of use, speed and context can greatly improve your mean-time-to-detection and free up your analysts’ time.