15.安全调查员

15.安全调查员

Security Investigator
Dynatrace Security Investigator is designed for threat hunting, incident solving, and root cause analysis.
When conducting a security investigation, you want to uncover the presence of attackers their tactics, techniques, and procedures that may be present but not easily discovered by existing technology. This myriad of unknown exposures generally requires dedicated threathunting practices to uncover.
However, tracking your steps during a threat hunt can be difficult as you branch and search through your environment, noting detected vulnerabilities and navigating up and down through paths of data as you perform an analysis. It is not a linear, straightforward process, and you can lose track of it while you hunt.
To solve this problem, Dynatrace created the Security Investigator to provide a new way to investigate. Time to create a new case!
Let’s start by entering a query as a beginning to our investigation. We want to look at the Kubernetes cluster logs by adding this as a filter. To explore the results, add a summary to see what kind of logs are available. Then narrow down to see only the audit logs and the audit related events.
Open any record from the list to view the details, all in one screen. Inspect an entry from here to see more about the entity as it exists in Grail.
As in other apps and lists, you can extract fields from here and use DPL architect to narrow data down to only the fields you need.
As we’ve been making these changes, the Query tree has been tracking our changes. The entire history is accessible. Click on a node to execute the query from that moment.
Looking at these audit events, let’s focus on some important fields, summarize by IP address, and look at only the events that are unauthorized, 401, or don’t have privileges, 403.
Then sort and we see that there is some suspicious activity!
This is when to start using the Evidence section for tracking discoveries. Use this to track indicators of compromise, IOC, which can be anything - strings, tokens, trace ids - and track when you have determined what are either Suspicious or Safe Ips. You can also create custom collections to help track your investigation.
For example, this external IP has tried to access secrets, so we will add it to our list of suspicious IPs. This internal IP keeps trying to access pods, so let’s add it as new evidence of a potentially compromised pod. Then we have a note to investigate what the purpose of this pod is in our environment.
When we started our investigation, we went into the audit logs, but we also have these vpc flow logs. If we now add this as a filter to explore and run the query, a new branch is automatically added to our investigation. In the query tree, access the options and set names for the nodes for tracking, and add attributes like color for grouping or highlights.
As you continue throughout your investigation, Dynatrace Security Investigator will automatically track and build your query tree. This provides an easy-to-follow, single-pane view to explore and develop your hypothesis and stop threats in your environment.