Threat Center

@ Exabeam

Audience

7 users from 5 different organizations were part of this research activity. Their levels of expertise differed and some wore the hats of engineers and analysts.

Main Findings

Case List

  1. All users would select a case of interest based on Risk and Age. Furthermore, they would select the oldest, highest risk case, but could not use the sorting mechanisms to reflect that preference.

  2. Most of the users would mainly live in cases and would not go to alerts unless they had time to threat hunt. One user who took a bit of time to look at the alerts list mentioned that the items he was seeing in alerts were items he should care about and would need to look at immediately (Axis Capital, Timestamp 49:30).

Case Details / Threat Timeline

  1. 5 out of the 7 users wanted to collapse or condense the Threat Timeline to get a better overview of risk scores for each detection and to help with scannability. They liked that they could see the fields on the left, but for cases with dozens of detections, it was hard for users to see where the riskiest detection occurred and they wanted to be able to sort detections by risk score as opposed to sequentially.

  2. Being able to quickly identify what rules are associated with detections and being able to pivot were important to users. One user mentioned moving the triggered rules to the left hand side of the detection panel, while another mentioned moving the rule name under the type of detection (AA, CR). The rule names being placed on the right hand side were not immediately noticeable.

  3. All users that clicked on “Open AI Analyzer” were pleasantly surprised by the initial overview it provided along with the responses to the user prompted follow-up questions. Users said “This is way more interesting than I was expecting”, “I can use it just to quickly summarize what I'm looking at rather than having to scroll through would be really exciting.”, “This is exactly what I’m doing in my head”

    1. Users expected to be able to hit enter on keyboard to send their question to the analyzer, but realized they needed to click “Send”.

  4. Being able to customize stages and queues based on differing organizational needs was mentioned by 5/7 users. Additionally, all mentioned that they wanted the ability to add a “Closed Reason” when a case was closed as that is required as part of their case management flow.

  5. The left side information is initially ignored by users at the start of their investigation process. 2/7 users didn’t discover how to change case stages right away. One user clicked actions to see if they could change the stage there. One user had a lot of entries for endpoints and didn’t realize there was other information below endpoints (use cases, MITRE, etc).

  6. Data insights still not available for customers in Threat Timeline so was unable to get feedback on that feature.

Other Findings

  1. ASB Bank - Wants to be able to stop correlation rules from becoming cases before they can use it.

  2. APIs are crucial for partners to adopt.

Case List

  1. Some users mentioned wanting the ability to hover over the numbers in the case list view and see the rules associated with it, similar how they can hover over the numbers in AA.

  2. Users wanted to be able to customize columns shown in case list view.

  3. Cases with high risk scores tended to be repeated detections which inflated the score. One user was looking at a threat timeline that had 100+ detections and wanted the ability to sort and see which detection had the highest risk score.

  4. Bulk actions(change stage, queue, assignee) was a feature that users would like to see for the cases list.

  5. Analysts typically look at ~10 cases a day.

  6. One customer mentioned they wanted to have a way to give an analyst malware specific tickets. It was not clear to them that they could create a “Saved Search” to handle that use case.

  7. One user said in order to move over to Threat Center, he wanted the home page to have some visualizations and watch lists that could give him an overview of what is going on.

Case Details/Threat Timeline

  1. One user wanted to be able to search the event details panel like he is able to do in Search. "I didn't know i wanted it, but now that i don't have it, i miss it"

  2. When users tried to assign case to themselves, they did not see their name and did not know what queue they could select in order to have their name populate in “Assignee”.

  3. User asked what happens in the event that a case is closed, but new detections relating to the case are found. Is the case re-opened? Is a new case created?

  4. One user wanted to run playbooks as part of the investigation process in order to perform certain actions based on what was investigated.

  5. Users asked to have notes more readily available as switching between tabs = more clicks.

  6. One user didn’t notice the toast message when the stage was update.

  7. Open AI analyzer didn’t work for cases with high volume of detections.

  8. Open AI Analyzer had different output styles customer to customer (font size, headings,)

  9. Open AI analyzer did not wrap log lines in view

Next Steps / Recommendations

  • Enablement for existing customers will be a key piece in adoption success. Showing customers how they can use threat center with Advanced Analytics will be useful. Also showing which features are available in the Threat Timeline that they normally would have to pivot to AA for would be useful (feature parity).

Cases List

  • Improve sorting mechanisms in table view so that users can find a case of interest faster

  • Give users the ability to hover over numbers in the different columns and show them what rules, use cases, etc were associated with that case

  • Show/tell users when they would need to look at the case list vs. alert list via documentation, walkthrough guide, video, etc

  • Allow user to take bulk action on cases

Case Details / Threat Timeline

  • Allow users to have a condensed/collapsed view of the Threat Timeline in order to improve their ability to scan quickly and find where the most interesting and riskiest behavior occured

  • Improve the discoverability of rule names and access to other rule attributes such as “Rule ID”. User pointed out what they liked about how we showed rule attributes in AA.

  • Re-think how we want to utilize the left panel and what information we provide. Moving the notes over to be in primary view would help with efficiency during users investigation process.

  • Allow users to create custom queues and stages as each organization has different requirements and needs

  • Ensure Data Insights is functional in next iteration so we can gather feedback on that feature

  • Create clearer error message when AI explainer is unable to load

  • Change yellow text for type of detection to a color that is more readable.