In this video, we'll demonstrate how an ActOn enables operators to aggregate actionable intelligence in one place — within Resolution Intelligence Cloud — to save time, reduce toil, and enable faster, more informed decision-making.
We'll review situational analysis, which allows you to see exactly what's going on in the environment, and go through how we quantify risks using three core principles: likelihood, impact, and confidence. It's all about knowing where to focus attention first. Additionally, we'll walk you through a medium-risk scenario to demonstrate the level of detail you'll have at your fingertips.
In this video, I will do a walkthrough of an ActOn, which is really at the core of what we're providing our operators. Basically, the ability to aggregate actionable intelligence in one location, reducing much of the toil that goes into analyzing and aggregating data manually. When we first look at an ActOn, there are many things to focus on, but we're going to start with the situational analysis. This is where you can see what's really going on in the environment.
It's important to note that there are three core principles we score against: likelihood, impact, and confidence. The likelihood that we have something associated with malware. We're pulling this information from threat feeds, etc., what the potential impact is on our systems on our side, and our level of confidence. In this particular case, this was tagged as a medium confidence, which triggered a rule in Chronicle. So, we're going to take a deep look and see exactly what's going on. We'll navigate to the Entities and Evidences page. Here, we have one system and an asset, but we're going to be talking about assets and why these are critical in further discussions.
We have three different usernames that were tried multiple times from this particular external IP address that is associated with an indicator of compromise. Let's look at the actual detections. These were pulled from multiple different detections across Chronicle at different times. If we look at the graph, we can see that we have the external source, the specific attack, and the specific users that were tried.
That links up very well with credential access from the MITRE ATT&CK® techniques and tactics. And if we look at the analysis log, we can see who the users were. It's really important to note that this analysis was done automatically for us. There was no human intervention. So basically, we were able to see the criticality of the users. We viewed the systems. We looked at the origins of the IP addresses. We discovered that threat intelligence has associated this with brute-force attacks. We also know that we have not whitelisted these attacks. We were able to determine where the log source is coming from and we can see that we've actually blocked this. This is informational.
We'll talk more about why that's important further on because we should probably be restricting this access so we can take note of this from a feedback perspective. But more importantly, all of these actions happened automatically within the platform, helping to reduce toil.