Challenge: Numerous security tools and the complex investigation process
Most organizations have more than a dozen security tools and a typical incident investigation process includes analysts looking at these tools for relevant security data. Operating in these tools console requires multiple browser tabs, credentials to these tools and understanding of their interface. This creates challenges for analysts and they spend a lot of time copy pasting and documenting their findings.
DBot: The force multiplier for your analyst
DBot is an additional member of your security operations team. DBot can execute commands for all analysts across all the integrated products and automatically document the commands results. These commands are run from within war-room using ChatOps (chat based command execution). In addition, it can automatically detect artifacts like IP, file hash, URL, email, registry keys and other regular expressions and enrich them automatically.
Powerful search for past artifacts
During an investigation, the analyst often wants to search for existence of an artifact in other incidents. Demisto enterprise indexes all the automation results, collaboration comments, notes and investigation artifacts to provide a powerful search for the analyst. The free form search lets analyst pivot and investigate faster. The search query syntax offers a powerful way to refine the search results across different objects in Demisto like indicators, investigation data, notes and all other incident meta data.
DBot: Always learning from the experts
As the analyst progress through investigations, DBot learns from all the investigation commands run and the data collected. The data collected is high fidelity data as this indicates a real intent and action from analyst. All these high fidelity signals are used by “Demisto Insights” feature to help the analyst back. DBot suggests best user to assign the incident to, experts for different types of incidents and also the most common commands run to resolve such an incident.
Cross correlate indicators across incidents
Often different members of the security operations team are investigating either similar or same incidents that happen in different part of the organization. These incidents have common indicators but are not easy to spot using traditional SIEM and other tools. Demisto indexes and cross correlates all the indicators across indicators and helps with auto-correlation of related incidents.