In this module, I’ll provide an overview of the features of the security command

center, how you can view, interpret and customize widgets, and how you can
investigate and take actions on policy and threat violations.

1
And how to take actions on those violations including marking as exceptions, creating
incidents, and taking actions on endpoints using playbooks.

2
 Security Command Center (SCC) provides a real-time view of threats as
they are detected by the SNYPR platform and allows you to drill down into each user
or violation to investigate and take action on threats. From this screen, you can:
Create cases
Manage threats
Search Spotter for more information about a threat
The components of the SCC are displayed as widgets. From each widget, you can
navigate to corresponding dashboards where you can see additional details for each
of the security dashboards.

4
The security command center features several dashboard widgets, which you can
arrange to suit your specific requirements. The include the
1. Top Violators

2. Top Threats

3. Top Violations

4. Kill Chain Analysis

5. Violation Timeline

6. Watchlisted Entities

7. Custom widgets you can create on the fly for Watch Lists

6
The top violators dashboard displays the top violation entities by risk score for the
selected time range. Violators can be users, activity accounts, network addresses,
assets on the network, and resource group accounts.
• Users: These are users on the network. When you drill down into a user,
this will show the HR data and all correlated activity accounts belonging to
the user. Example: Patricia McDonald.

• Resources: These are assets on the network. For example, An ATM named
CHICAGOBANK_ATM1.

• Activity Account: This is an uncorrelated or service account performing

activity on a datasource. Example: SVC_SNYPR6 on Windows. These can
also be accounts that SNYPR hasn’t correlated to its owner yet.

• Network Address: Networks address refers to an IP address on the

network. Example: 10.0.3.137.

• Resource Group Account: Not to be confused with assets, a resource group

account is an account performing activity across all datasources in a

7
 resource group. Resource Group refers to all the data sources imported for
a Device Type.

Example: An account for Resource Group Blue Coat Proxy across data sources
BlueCoat1, BlueCoat2, and BlueCoatLandspeed.)

7
You can filter the results you see by the following:
• Type of Entities
• Status of the violation
• Policies violated
• Threats violated
• Threat Models violated

Click the red x to remove filters.

8
Sort Results
You can sort the list of violations
based on the filters you have
applied.

For example, you can sort by

Department, First Name, or Last

9
Name for users.

By default results are sorted by Risk

Score. You will also always be able to
sort by Generation Time.

9
The graphical analysis provides a visual summary of the results organized by criteria.
You can click any data point to view only the violators that meet this criteria. For
example, click Data Snooping to only view violators who have violated policies in this
category.

Click the X to remove the filter or click another data point to further filter the results.

10
Run Report
From the graphical analysis, you can run the Top Violator Graphical View Report.

When you click this report name, a Schedule Report window will appear.

11
The Top Threats widget displays the top threat model violations for the selected time
range.

12
Filter and Sort Results
You can filter Top Threats by the following:
• Criticality
• Violator

You can also sort by the violator count or the generation time.

13
The Top Violations widget displays the policy violations with the highest risk ranking.

Within this widget and the other widgets on this screen, you can change time range,
type text to filter results, move the widget around the dashboard, and filter and Sort
the results. You can use the refresh icon to refresh the results and use the double-
sided arrow in the bottom right corner to change the size and shape of the widget.

You can also click the graph icon from the widgets to view a graphical analysis of the
results.

14
Filter Results
You can filter Top Violations by the following:
• Criticality
• Category
• Violator
• Resource Group
• Functionality
You can also sort by the violator count or the generation time.

15
The graphical analysis provides a visual summary of the results organized by criteria.
You can click any data point to view only the violations that meet this criteria. For
example, click Low to view only these events with that criticality. Click the X to
remove the filter or click another data point to further filter the results.

You can export the Top Violator Graphical View Report from this widget, as well.

16
The Kill Chain Analysis dashboard displays violations by kill chain stage. The kill chain
is the term used to describe the sequence of events that make up a threat.

The purpose of the kill chain analysis is to identify violations early in the kill chain that
predict the violator will escalate the risky behavior further down the kill chain so that
you can detect and mitigate a threat before it causes loss to your organization. It also
allows the analyst to see and focus on violations organized by the specific type of
threat.

Note for instructor: The kill chain represents an escalation of behavior like a threat
model. But unlike a threat model, the kill chain stages are inherent to the type of
threat indicator while the threat model stages are defined by the use case. This means
you can have a policy in the execute stage that can be violated without any other
policies being violated in the earlier stages first. In a threat model, it will not trigger a
violation unless all the stages are violated in the specified sequence. Threat models
may have stages that coincide with all the stages in a kill chain, or they may skip some
stages.

17
17
The stages in a kill chain include the:

1. Recon Stage in which an attacker gathers information before an attack in an

attempt to find a vulnerable point in the network. Example: Phishing emails.

18
1. Delivery Stage in which attacker delivers a malicious package to gain access to a
network. Example: User clicks a link within a phishing email and downloads
malware from the malicious site.

19
1. Exploit Stage in which an attacker finds a vulnerable point of entry into the
network and gain access. Example: Zero-day attack.

20
1. Execute Stage in which an attacker escalates access to execute the attack using
admin privileges. Example: Escalating privileges or stealing admin credentials,
lateral movement.

21
1. Exfiltration Stage in which an attacker can move freely around the network and
access or remove any sensitive data at will. Example: An insider uploading
customer information to a personal file sharing/storage site.

22
1. The violation timeline widget displays a bubble chart that describes the name and
count of violations along the specified timeline.

You can hover over a bubble to view the date and number of violations for any policy.
When you click the data point, you can see the violation summary and take action on
the violation.

23
About Watchlisted Entities
The Watchlisted Entities widget displays entities that are
included on a watch list.

You can sort entities by Risk Score or Generation Time.

24
Filter Watchlisted Entities
You can filter entities by the following:
• Watchlist
• Name
• Status
• Entities
• Policies
• Threats
• Tenants (for multi-tenant)

25
You can create up to 6 custom watchlists widgets for your dashboard so you can
easily see the risk scores for the entities that pose specific risks to your organization.

26
Filter Entities
You can filter entities by the following:
• Status
• Entities
• Policies
• Threats

27
You can create up to 6 custom watchlists widgets for your dashboard so you can
easily see the risk scores for the entities that pose specific risks to your organization.

28
When you click an entity from any of the dashboard widgets, you can view a
summary of the violation, drill down to view details of the violation, and take action
on the violators.
The violator screen displays details about the violation entity including the list of
polices and threats they have violated, and the risk scores for each violation that add
up to the total risk score for the violator. You can view details about the entity, drill
down into the details of the violations, view violation events, or click any data point
to launch a Spotter search.

30
You can use the chat feature to chat with other analysts viewing the same violation.
Click the green chat icon to open the dialogue to begin the conversation.

31
From the violation summary screen, you can take actions on a violator.

1. These include:
2. Launch Spotter in a new window to view entity’s activity.
3. Add the user to a watch list.
4. Add to white list.
5. Mark in progress to indicate investigation is in progress
6. Mark as a concern and create incident.

When you take action from the entity screen, the action applies to ALL the violations
associated with this entity. For instance, if you mark the entity a non-concern, their
risk score will be decreased to zero for ALL the violations on the list. If you mark the
user as a concern and create an incident, the incident will include all the violations
listed.

32
1. The Response Bot is part of the Securonix Smart Response framework, which uses
machine-learning to understand the typical actions taken by Tier2 and Tier3
analysts for this type of threat to predict the most appropriate action for the
violation.

For this violation, the Response Bot has determined with (100%) probability that the
violation should be marked a concern.
The Response Bot is enabled during policy creation. You can see that in more detail in
the content developer workshop.
You can take the action suggested by the response bot, or you can take another
action.

33
When you add an entity to a watchlist, you can select the watchlist you want to add
them to, or you can create a new watch list. From here, you can add a custom widget
for a watchlist to the Security Command Center. To do this, just toggle the slider to
YES, and a widget will be created. You can have up to 6 watchlist widgets.

34
You can choose to add the violator to a global white list, or you can whitelist the
violator for specific policies, threat models, or datasource functionality.

If you add the (entity) to a global white list, SNYPR will ignore all the violations on the
list and all future violations. You can select an existing white list or create one. You
can also specify if the entity should be on the whitelist permanently or until a certain
date. For global white lists, you will decide if you want to reduce the risk score for the
entity to zero for all the existing violations, or if you want to keep the current risk
score and just exempt them from any future violations.

For whitelists for policies or threat models, click the policies and/or threat models for
which you want SNYPR to ignore violations for this entity.

For whitelists for functionality, select the functionality of the datasources for which
this entity will be ignored. SNYPR will not flag violations for this entity for any policies
running on the selected functionalities.

You can manage whitelists from Menu > Views > Whitelist.

35
You can mark the violations as a Non-Concern to reduce the risk score of ALL the
violations for this entity.

36
You can mark the violations as a concern to create an incident. You will select a
workflow to manage the incident and provide comments about the case. Then assign
the case to a user or group.

Manage incidents from the Incident Management dashboard.

37
When you click an entity from any of the dashboard widgets, you can view a
summary of the violation, drill down to view details of the violation, and take action
on the violators.
On the Top Threats widget, click a threat to view the threat violation summary
screen,. This will displays details about the threat violation, including a list of entities
who violated the threat model.

On the threat violation summary screen, you can perform the following additional
actions:
1. View threat model details
2. Take action on a violator
3. View entity details
4. Filter Violations by Entities, Incidents created, and Action Status.
5. Search Violation Events in Spotter.

39
Hover over the empty space beside a violator on this screen to take action on a
violator.

For threat and policy violations, you can take action only on individual entities, rather
than take bulk action on all entities who violated the threat model.

You can take the following actions on violators:

• Add to white list
• Add to watch list
• Mark in progress
• Mark as concern and create incident

40
On the threat violation details screen, you can see the reason for the violation and
the risk score trend graph. This violation summary is a little different than for a policy.
Here you will see the individual policies violated within each stage of the threat
model and the time between each violation.

41
Click each policy in the threat model stages to see the violation information.

42
Click Other Policies to see additional policies violated by this entity. You can use this
information to find additional context about the threat model such as if the violator
performed related behavior that was not caught as part of the threat model.

You can also click Violation Events to view the events associated with this threat
model in Spotter.

43
You can take the same actions for the violator from this screen.

44
On the Top Violations widget, click a policy to view the violation details. You will see
details about the violations, including a list of entities who violated the threat model.

On the threat violation summary screen, you can perform the following additional
actions:
1. View threat model details
2. Take action on a violator
3. View entity details
4. Filter Violations by Entities, Incidents created, and Action Status.
5. Search Violation Events in Spotter.

46
Click a violator to drill down into the details of the violation for the violator.

The summary view shows specific information about the violation events such as the
email recipient, and the email subjects and attachments involved in the violation. The
information that appears here is based on the violation summary configured by the
content developer during policy creation.

47
From here, you can toggle between the Securonix attribute names and the User
Defined attribute names the content developer selected during activity import. If no
custom attribute names were defined, you will see the original attributes for the
Datasource that were mapped to the Securonix attributes during activity import.

48
For behavior-based policies, click the analytics summary icon beneath the gear to
switch to an analytics summary to view the behavior profile information.

You will see a summary that includes the name of the behavior profile and the
number of datasource analyzed in the cluster. SNYPR uses a min/max clustering
technique to determine a baseline for an entity. See the Content Developer course for
more information about how behavior profiles are generated.

You will see the behavior baseline for this entity, and the frequency that resulted in
the violation. For example, the baseline for this policy is 2. The violator performed 29
events, which was a 15x deviation from the baseline.

The behavior also appears on a bar chart so you can easily see the normal and outlier
behavior.

Finally, you can view the cluster information for the behavior profile. This is the
information about how many datapoints for this entity were counted and used to
generate the behavior baseline. You might see only one, or you might see min, max,
and noise clusters.

49
Min cluster: the minimum count of normal behavior for the entity. For example, 1-3.
Max cluster: the maximum count of normal behavior for the entity. For example, 5-7.
The top number for this cluster becomes the baseline.
Invalid/Noise cluster: Outlier behavior that fails to deviate enough from the baseline
to generate a violation. For example, if the baseline is 7, and the entity performs the
event 9 times one day, this will result in an invalid cluster. If this number begins to
appear more frequently, SNYPR will adjust the behavior profile to increase the
baseline. If it does not see this number again, the cluster will continue to be
considered noise and will be disregarded for analysis.

49
You can click Violation Events to view the individual events associated with the
violation as a Spotter search. You can drill down or edit the query.

50
Click Other Policies to view additional policies violated by this entity. You can take
action on any of these policies from this screen.

51
SNYPR includes the option to apply security orchestration and response to policy
violations through actionable playbooks that are enabled within policies. Playbooks
combine automated tasks such as gathering context on the violation and creating
support tickets with the manual tasks the analyst must complete when a violation
occurs. Automated response reduces the time spent performing simple, repetitive
tasks by automating incident triage activities and launching threat management
functionality automatically.

With its Automated Response integrations, SNYPR can:

• Launch playbooks in response to different types of threats detected by

SNYPR.

• Launch queries or actions on endpoints from the SNYPR console in

response to a threat.

• Import critical UEBA alerts in CEF format from SNYPR as incidents along
with alerts from different security monitoring systems, and aggregate
security alerts by user account into a Security Incident.

53
• Check the reputation of IPs, domains, URLs, and files.

• Verify if the email sender IP or domain is on a spam list.

• Get WhoIs and DNS data, and check the validity of Certificates.

• Launch a network vulnerability scan.

53
For policies that have playbooks enabled, you will see the Playbook button appear
when you hover beside the violator name.

Click the button to launch the playbooks.

54
Select a playbooks from the dropdown and click the play icon to launch the selected
playbook.

55
When you have successfully run the playbook, you will see Finished appear in green.
The date and time the playbooks was launched appears in red.

On the right, you will see the log of tasks run for the selected playbook. Click Show
output to see the results of the playbook tasks.

56
SNYPR 6.3.1 includes the new content, use cases, and threat models aligned to MITRE
ATT&CK tactics and techniques to provide behavioral models and threat chains to
prioritize the risks.
SNYPR includes the following updates to support MITRE ATT&CK framework:
SNYPR Content is aligned to MITRE ATT&CK techniques that includes use cases,
dashboards, and threat models.
Threat hunting reports are aligned with MITRE ATT&CK techniques.
OOTB Threat Models are mapped to MITRE ATT&CK taxonomy.
Threat IOCs are mapped to MITRE ATT&CK techniques.

58
In SNYPR, out-of-box threat indicators are aligned with MITRE ATT&CK tactic,
technique, attack group, as seen below:

1: Displays the tactic, techniques, and attack group associated to the threat indicator.
2: Displays more information about the threat.

59
You can select any technique to view the technique and attacker information.

Note: This feature is an add-on to the SNYPR platform.

60
Through a single console, Securonix SOAR provides SOC and IR teams an end-to-end
threat detection, investigation, and response solution by:

Prioritizing threats with entity context

Automating responses with pre-built and customizable playbooks
Replicating security analyst actions using the Response Bot machine learning to
recommend and automate incident response actions
Meeting compliance needs by enabling data privacy features

64