This blog gives a detailed overview of Demisto’s new Related Incidents feature and how it can be leveraged to enhance analysts’ decision-making prowess.

Untapped Sherlocks

Security analysts have it tough out there. As security threat volumes continue their meteoric rise – Hackmageddon reports that monthly attacks have consistently risen over the last 3 years – and attackers grow increasingly sophisticated, analysts often find it hard to keep up with the sheer number of threat alerts. Add to that the fact that an average company uses 15 security technologies and it paints a somber picture of analysts rushing from tab to tab as attack alerts continue pouring in.

A rarely discussed demerit of this alert fatigue is the dent it makes on analysts’ qualitative decision-making abilities. Much of an analyst’s work is deductive and investigative; they’re cyber sleuths, stringing disparate pieces of information together to get to the bottom of that cyber threat. Alert fatigue takes away both their time and energy, getting them stuck on repetitive tasks while the big fish get away.

Think of it this way: if Sherlock Holmes was stuck directing traffic, the Hound of Baskervilles would still be plaguing the world today. And that’s what is happening to our analysts.

The Analyst Detective Kit

Demisto’s security orchestration and automation features have already reduced the time and effort required to contain a wide variety of threats. But just saving time and increasing peace of mind isn’t enough: there is a need to enhance analysts’ investigative capabilities so that they can put their best foot forward while dealing with sophisticated, well-coordinated attacks. With its machine learning capabilities that learn from each analyst action, Demisto is perfectly placed to meet this need head on. And that’s where Related Incidents – our latest update in the Demisto 3.0 platform – comes in.

With the help of Related Incidents, analysts can get a streamlined view of how attacks over time are related, customize that view to best suit their line of thought, and codify their insights to better deal with similar incidents in the future.

Let’s look at the Related Incidents dashboard. This dashboard provides an intuitive, single-pane-of-glass view of related incidents across a timeframe that can help analysts learn more about the intricacies of the incident in question. The screenshot below explains the basic components of the dashboard:

• The green circle at the center is the incident the analyst is studying. Every other incident icon on the screen is a related incident, with the incident types denoted by the legend on the right.
• The closer an incident is to this green circle, the more similar that incident is to the incident being investigated.
• The timeframe is represented as a clock, with the left arc looking at related incidents that occurred before the incident in question and the right arc looking at related incidents that occurred after the incident in question.

This is a static view that can be customized in numerous ways through the menu bar on the right. Analysts can change the timeframe of study…

…tweak the degree of similarity they want to concentrate on…

…and modify the incident types they want to see through the legend on the right.

The modular nature of this dashboard gives analysts full control to chart the investigative process the way they see fit.

Digging Deep

The Related Incidents feature couples a comprehensive dashboard with the ability to focus on any one related incident and study it in greater detail. By clicking the icon of any related incident, the analyst gets a succinct snapshot of both incident types, how they are related, and the common indicators that merit further investigation.

Apart from dealing with advanced threats, analysts can also use Related Incidents to sanitize the hitherto never-ending queue of threat alerts. Instead of spending time searching for and deleting duplicate incidents, analysts can leverage Related Incidents and Demisto’s automation capabilities to reduce that time dramatically.   

The next steps turn Related Incidents into something almost-sentient. When analysts select an indicator of interest, they can access the reputation of that indicator, perform basic actions on that indicator, and even see which other incidents (related or otherwise) have the same indicator present.  

If needed, analysts can quickly pivot to any related incident and make that the center of the dashboard for further examination. This is analogous to researchers reading a cited source at the end of a journal paper, then reading cited sources in the second paper, and so on. With each level of increased depth, analysts can improve their overall understanding of the threat at hand.

Finally, once analysts are satisfied with the veracity of a related incident, they can link the incidents and Demisto will track them together in the future.

This ensures that while each investigation is an analyst-driven exercise, Demisto’s learning capabilities are utilized to make each subsequent investigation easier.

We hope you found this overview of Demisto’s Related Incidents feature helpful. Analysts can use this feature to get a complete view of how an incident relates to other incidents tracked on the platform, customize each dashboard element to polish their investigation, focus on a related incident and the indicators therein, and link incidents to collect important data for future threats.

With this trusty Dr. Watson by analysts’ side, nipping complex attacks in the bud will soon be elementary.

To watch a video walkthrough of the Related Incidents feature, please visit our YouTube channel here.