EDRC Graphs and Patterns

book

Article ID: 179231

calendar_today

Updated On:

Products

Endpoint Detection and Response Cloud

Issue/Introduction

 

Resolution

About EDRC graphs

Endpoint Detection and Response Cloud (EDRC) not only collects information on individual artifacts like files or registry keys, it also examines relationships between artifacts. This is actually one of the great strengths in the way EDRC scans the enterprise. Attacks, compromises, and suspicious activity will usually affect more than one object on a system. During a scan, EDRC associates artifacts that are forensically related. Multiple artifacts that are related are linked internally into a graph that you can query. You can leverage this functionality to create search patterns that are more robust and capable.

Joins

Using the Sprout Query Language, you ask for related artifacts by using a Join. Joins allow you to associate multiple artifact types together into a single search query. The Sprout query language is described in the EDRC User Guide. Joins take the form: <Artifact type>,<Artifact type> where artifact type is one of the basic artifacts as described in The Basic Graph Relationships.

The Basic Graph Relationships

The graphic depicts a schematic view of how EDRC associates artifacts. Internally, these are represented as a graph database of nodes and edges (a.k.a., links).

 

Example and Common Joins

  • Registry key and file
    If a registry key refers to a file on disk, then these two artifacts are combined into a pattern. To query for registry keys and their related files, use: RegKey,File
  • Process and network connection
    All network connections must belong to a process. EDRC associates these together. To query this relationship use: Process,Network
  • User and process
    User accounts are associated with running processes. This relationship is queried with: User,Process
  • Endpoints are associated with everything
    You can find the endpoint where an artifact exists. For example, the endpoint a particular process is running on: Endpoint,Process
  • Endpoint Join Everything
    A good strategy is to include Endpoint at the beginning of all queries. This ensures the endpoint data is always reported. Endpoint,<any other entity type>
  • Process,Module,File
    Processes usually have many DLL's loaded. Most of the DLL's are associated with a file on disk. The triplet of Process,Module,File is very common. Process,Module,File

Search Patterns

The power of EDRC is the ability to search the collected data. When joins are involved, you can search not only individual items, but also patterns of artifacts that occur together. This is extremely powerful because attacks, compromises, and suspicious behaviors usually affect more than one artifact at a time. For example, a malware program may have a file on disk, a process in memory, and a network connection to the Internet. Because Outlier associates all of these things, you can now create a search pattern that includes all of these aspects.

  • Automatic Pattern Recognition
    When you run a scan, patterns are assembled automatically for you by the EDRC Reasoning Engine. These are assembled for you under The Results Tab. To help you locate patterns of interest, these are given scores and may contain labels indicating what category of pattern they are. For instance, here's an automatically generated pattern associating an endpoint to a prefetch and a file on disk.
  • Manual Investigation
    The automatically generated patterns are valuable, but the more advanced user will often want to search for relationships manually. For example, you may want to use timestamps to create a timeline of activity and then selectively associate these into a pattern. Even if EDRC doesn't automatically join two artifacts together, you can discover relationships in this manner. This is done using the Investigate tab.

Attachments