===================== Enrichment ===================== -------- Summary -------- One part that consumes lots of security analyst' time is to bring more information about atomic alerts. DTonomy's built in integrations with different data sources enable you to quickly enrich your alerts with extra information that can help you determine right actions for your security alerts. ------------ Alert Score ------------ DTonomy AIR assignes score for each ingested alert. The score can be either assigned manually by the user or it can be determined by the DTonomy AI The score is a decimal number btween 0 and 1 with 1 to be most likely positve alarm that need to be investigated immediately, and 0 to be likely false alarm which can be processes with lower priority or ignored. Manually assign alert score ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ DTonomy workflow user can assign the alert score manually when upload alerts to the DTonomy platform. The user can set msg.score in a function node right before using the advanced data upload node. DTonomy AIR will set the alert score to be this msg.score value Automatically assign alert score ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If a user does not set the alert score manually during the alert upload, the DTonomy AI will kick in to decide the score of each alert uploaded. Based on the alert context, the DTonomy AI engine will select the risk model that most fit the alert and give an accurate prediction of the alert score. ------------------- Network Information ------------------- ASN ^^^^^^^^^^^^^^^^^^^^^^ Query a given IP for autonomous system information .. image:: /picture/enrichment/asn.png :width: 600pt DNS resolver ^^^^^^^^^^^^^^^^^^^^^^ Resolve a host name to a list of ips .. image:: /picture/enrichment/dnsresolver.png :width: 600pt IpGeo ^^^^^^^^^^^^^^^^^^^^^^ Decode Geo information for an IP .. image:: /picture/enrichment/IpGeo.png :width: 600pt Ip Reputation ^^^^^^^^^^^^^^^^^^^^^^ Retrieve reputation for a given IP via Minemeld .. image:: /picture/enrichment/ipReputation.png :width: 600pt Nmap ^^^^^^^^^^^^^^^^^^^^^^ Scan network to find live hosts on the network .. image:: /picture/enrichment/nmap.png :width: 600pt Nslookup ^^^^^^^^^^^^^^^^^^^^^^ Given a domain name, output a list of URLs .. image:: /picture/enrichment/nslookup.png :width: 600pt Whois ^^^^^^^^^^^^^^^^^^^^^^ Retrieve whois information for an ip or host .. image:: /picture/enrichment/whois.png :width: 600pt ------------------- Threat Intelligence ------------------- VirusTotal ^^^^^^^^^^^^^^^^^^^^^^ We support multiple integrations with Virustotal to collect intelligence. .. image:: /picture/enrichment/virustotal.png :width: 600pt Shodan ^^^^^^^^^^^^^^^^^^^^^^ Check Ip via shodan. .. image:: /picture/enrichment/shodan.png :width: 600pt Anyrun ^^^^^^^^^^^^^^^^^^^^^^ Retrieve malware analysis results from anyrun .. image:: /picture/enrichment/anyrun.png :width: 600pt HaveIBeenPwned ^^^^^^^^^^^^^^^^^^^^^^ Examine whether a user's email or password is compromised or not. .. image:: /picture/enrichment/haveibeenpwned.png :width: 600pt Hybrid Analysis ^^^^^^^^^^^^^^^^^^^^^^ Check Ip, url information from Hybrid Analysis .. image:: /picture/enrichment/hybridanalysis.png :width: 600pt ------------------- Vulnerability ------------------- CVE ^^^^^^^^^^^^^^^^^^^^^^ Quickly query national vulnerability database for CVE information .. image:: /picture/enrichment/cve.png :width: 600pt Nexpose ^^^^^^^^^^^^^^^^^^^^^^ Query Rapid7 Nexpose for existing vulnerability information .. image:: /picture/enrichment/nexpose.png :width: 600pt Appspider ^^^^^^^^^^^^^^^^^^^^^^ Query Rapid7 Appspider for existing vulnerability information .. image:: /picture/enrichment/appspider.png :width: 600pt ------------------- Raw Logs ------------------- Similar to data ingestion, you can connect to those data sources for raw logs for enrichment. ------------------- System Information ------------------- It is common to query system information for enrichment. LDAP ^^^^^^^^^^^^^^^^^^^^^^ Query ldap for more user information to enrich your alerts. .. image:: /picture/enrichment/ldap.png :width: 600pt SCCM ^^^^^^^^^^^^^^^^^^^^^^ Query SCCM information via simple integrations. .. image:: /picture/enrichment/SCCM.png :width: 600pt