In the past few months we’ve added a number of new features to our ActiveEye security platform to help our customers and our Security Operations Center (SOC) team identify, analyze, and respond to threats faster. From isolating variances during investigations to crafting custom reports that land in your inbox each morning, these new features are anchored on three of our development principals: efficiency, effectiveness, and transparency. Here are a few of the highlights.
Event Variance Tool
When investigating a security incident it is always helpful to compare the current set of data to a previous time period, whether that’s a day, a week or a month. When you see an increase or decrease in events, this can help you quickly identify what is driving a change. The new Compare feature in the Investigate Catalog in the ActiveEye dashboard lets you do just that, analyzing data from one time period (date range or days) to a similar, adjacent one.
Along with a graphical view of the changes, tables at the bottom of the Investigate screen show variances of different slices of the data, like IP Address, Application, or Event Description. The view provides a quick and easy way to see what changed and by how much.
Our ActiveEye power users’ favorite tool is the Saved Query function in the Investigate Catalog. We added this time-saving feature for people who repeatedly investigate searches with the same filters applied. After you add a series of filters to your investigation screen, you can save that query through the Save icon in the top right of the investigation screen.
You can choose to make the query available to other members of your team in ActiveEye or keep the query unique to you. From there, the query will be saved to the home screen of your Investigate Catalog under the My Saved Queries section.
Daily Email Summary
Building on top of the Saved Query functionality, we also realized that not everyone logs into ActiveEye every day. One of the new features we rolled out in ActiveEye this month is the ability to create a Daily Email Summary that pushes any of your Saved Queries directly to your inbox.
Setting it up is easy. Start by adding a new Daily Email Summary from the Admin tab of the main menu in ActiveEye. From there, you can add one or more of your Saved Queries from the Investigate Catalog using the new icon on the top right of the page. The following day, you will begin to see emails from our SOC support team with alert information from your queries.
Endpoint security customers may be particularly interested in this, as the report also provides insight on new threats detected in your environment, known threats that were prevented from running, and any blacklisted applications detected.
EDR Response Automation
With more enterprises adopting advanced endpoint detection and response (EDR) solutions, we continue to enhance our abilities to resolve threats faster. Because our SOC analysts can take action directly from the ActiveEye platform, including automating those responses through our Virtual Analyst, we currently average less than 30 minutes to resolve alerts from endpoint solutions like Carbon Black, CrowdStrike, Microsoft Defender ATP, and Sophos.
The Delta Risk team has already started rolling out updates to the Alerts screen to help investigate and analyze threats. We are improving small things like adding more search and filter capabilities to larger, visualization tools that providing trending and anomalies. Stay tuned for more updates and as always, please send us any feedback or suggestions to how to make ActiveEye even better.