Review the alert and start your investigation

This task is part of a workflow defined in Working with Alerts Based on Firewall Events.

If you are reviewing an assigned alert, review the alert detail to understand why Secure Cloud Analytics generated an alert. Review the supporting observations to understand what these observations mean for the source entity.

Note that if the alert was generated based on firewall events, the system does not note that your firewall deployment was the source of this alert.

View all of the supporting observations for this source entity to understand its general behavior and patterns, and see if this activity may be part of a longer trend:

Procedure


Step 1

From the alert detail, click the arrow icon () next to an observation type to view all logged observations of that type.

Step 2

Click the arrow icon () next to All Observations for Network to view all logged observations for this alert's source entity.


Download the supporting observations in a comma-separated value file, if you want to perform additional analysis on these observations:

  • From the alert detail, in the Supporting Observations pane, click CSV.

From the observations, determine if the source entity behavior is indicative of malicious behavior. If the source entity established connections with multiple external entities, determine if the external entities are somehow related, such as if they all have similar geolocation information, or their IP addresses are from the same subnet.

View additional context surrounding the source entity from a source entity IP address or hostname, including other alerts and observations it may be involved in, information about the device itself, and what type of session traffic it is transmitting:

  • Select Alerts from the IP address or hostname drop-down to view all alerts related to the entity.

  • Select Observations from the IP address or hostname drop-down to view all observations related to the entity.

  • Select Device from the IP address or hostname drop-down to view information about the device.

  • Select Session Traffic from the IP address or hostname drop-down to view session traffic related to this entity.

  • Select Copy from the IP address or hostname drop-down to copy the IP address or hostname.

Note that the source entity in Secure Cloud Analytics is always internal to your network. Contrast this with the Initiator IP in a firewall event, which indicates the entity that initiated a connection, and may be internal or external to your network.

From the observations, examine information about other external entities. Examine the geolocation information, and determine if any of the geolocation data or Umbrella data identifies a malicious entity. View the traffic generated by these entities. Check whether Talos, AbuseIPDB, or Google have any information on these entities. Find the IP address on multiple days and see what other types of connections the external entity established with entities on your network. If necessary, locate those internal entities and determine if there is any evidence of compromise or unintended behavior.

Review the context for an external entity IP address or hostname with which the source entity established a connection:

  • Select IP Traffic from the IP address or hostname drop-down to view recent traffic information for this entity.

  • Select Session Traffic from the IP address or hostname drop-down to view recent session traffic information for this entity.

  • Select AbuseIPDB from the IP address or hostname drop-down to view information about this entity on AbuseIPDB's website.

  • Select Cisco Umbrella from the IP address or hostname drop-down to view information about this entity on Cisco Umbrella's website.

  • Select Google Search from the IP address or hostname drop-down to search for this IP address on Google.

  • Select Talos Intelligence from the IP address or hostname drop-down to view information about this information on Talos's website.

  • Select Add IP to watchlist from the IP address or hostname drop-down to add this entity to the watchlist.

  • Select Find IP on multiple days from the IP address or hostname drop-down to search for this entity's traffic from the past month.

  • Select Copy from the IP address or hostname drop-down to copy the IP address or hostname.

Note that connected entities in Secure Cloud Analytics are always external to your network. Contrast this with the Responder IP in a firewall event, which indicates the entity that responded to a connection request, and may be internal or external to your network.

Leave comments as to your findings.

  • From the alert detail, enter a Comment on this alert, then click Comment.