The dashboard is divided into two main sections.
- Detection & Response: scanning funnel based on your organization's data
- Threat hunting: global data for proactive threat hunting
Detection & Response
The Detection & Response section provides visibility for files uploaded to Intezer from your organization's different security tools, including EDRs, SOAR, API implementations, and manual uploads.
The Detection & Response section is structured as a funnel, to provide you full visibility of your scans journey and to allow actionable next steps.
On the top right of this section you can find filters. You can filter by time, triage verdict, scan type and sources of the scan.
Let’s go through each sub section:
Collections:
This section visualizes all of your organization's scans; URLs, endpoints and files, divided to the source of the scan. You can add new sources by contacting our support team at support@intezer.com.
Triage:
Using Intezer’s unique code reuse technology combined with sandboxing and other techniques, we analyze each scan and extract all files including memory dumps and dropped files to provide the most accurate verdict and classification. Based on all extracted artifacts, our verdict calculation module will provide each scan one of the following verdicts:
- Confirmed malicious = Malware
- Suspicious = Admin tools, packed files and other utilities that could be used for legitimate or malicious purposes)
- To investigate = Files that do not have a definitive verdict
- No threats = Files that do not pose threat to you organization and false positives
Response:
This section is for taking action. You can see all files that are to be investigated and all of the files with a definitive cluster.
- For confirmed malicious: By clicking on the clusters you will be directed to your organization's history page filtered by the threat family where you will find all scans are related to this cluster. As a next step, you are able to create detection rules using our Detect & Hunt feature. This allows you to respond more efficiently, addressing each cluster (which can include many individual samples), instead of having to investigate and respond to each individual alert.
- For suspicious: You will be redirected to the history page containing all suspicious files. Based on your organizational context, determine whether it is a known software or it is a tool that might pose a threat. If it is a known software, consider adding the file hash to your allow list. If it is a threat, continue to the incident response phase by using our Detect & Hunt feature.
- For files that require further investigation: You will be redirected to the history page containing all files that require analysis. Intezer’s memory modules extraction, behavior tab, TTPs, Detect & Hunt, strings and strings reuse capability makes the task of determining the verdict definition much easier.
Threat Hunting
Threat Hunting has three sections:
- Watchlist: All the family threats you are tracking in one place.
- Publicly Trending Threats: Latest uploads to Intezer’s platform.
- Blogs & Tweets: You can browse through the latest blogs & tweets posted by Intezer.
Unlike Detection & Response section which is based restrictedly on your organization’s data, Threat Hunting is based on globally shared files within Intezer’s platform.