Austin Dyches • 09/26/2022
Hi, my name is Austin on the product manager for Cyber triage and welcome to the Cyber Triage 3.4 at over-release video we’re going to go some of the new features we’ve got.
We’re very excited to show it to you.
We’ve got the new log on user interfaces for inbound and outbound logons, we have the new artifact parsing for Windows bits jobs, and we’re very excited to bring you a new integration with recorded future and the recorded future sandbox.
We’ll talk more about that in just a minute.
Let’s jump right in.
Alright, so for the new logon sections here we’ve got our normal dashboard and cyber triage and we’re going to come down here and you’ll see this new inbound logons and outbound logons section O. Examining the results in this panel is going to allow an incident responder to quickly view all logons
and help determine if any logon seems suspicious, or even with you know has a large number of entries.
And it’s going to actually for the first time have, you know, give the examiner the ability to narrow down results based on key criteria.
So I’ll click on inbound logons and it’s going to bring you to this logon summary panel.
There’s not much in here yet as demo data, but you can see some populated stuff down there.
We’re going to click on logon sessions.
Again, that’s going to bring us to a grouping.
It’s already grouped by user and host, so a grouping of all logon sessions, and you can see over here you can group by user and host.
You can just group by user, just by host, or no grouping at all, and then sort by time less 306090 or all of them.
The status of the log on, the type of the log on, and order by time descending, time ascending.
So if you just go ahead and click on this, it’ll actually automatically bring you to a full list of all the logons.
With that user.
And now if you click on anyone of these, you’ll see a lot of your standard information here.
Come down to the item details panel.
It’ll show you the logon session, the user, the host type, start time, end time, and the logon type.
If you need to know what sources this came from, you can come over here to the sources tab and it’s going to say tell you where we got this information from.
So source one was the Windows event log, the event log ID, and then source two and it’s event log event log ID.
And the same is true for outgoing logons.
So we don’t actually have any user data for this one yet.
It’s not in our demo data.
But again it would be populated here and your demo data will or your actual real data, we’ll have a lot more of that incoming and outgoing and in the same principles apply here, sort by, it’s already sorted by user and host, but you can sort by user and host, user, host, etcetera and then come down
when these items are done.
So those are the new inbound logons and outbound logins logons panel.
So hopefully that will really allow you to.
Hone in on a specific time during your investigation that you’re interested in based on any other artifacts you may find, so hopefully you find that very useful.
Please let us know if there’s anything you’d like to see in other things we can add to.
Alright, so I’m going to switch back over to a different host now.
I collected my personal computer a few days ago and I want to show you the bits jobs parsing that I was talking about earlier.
So the bits jobs are part of trigger task, so in your navigation.
Panel over here, you’ll come down to trigger task.
Go to the malware section.
If you click on that, you’ll have a whole list of trigger task WMI bits jobs, and we’ve got a new.
Ability to select it right here.
So if you’d like to see what kind of bits jobs were happening on your computer on your host, click apply.
And we’ll show you there that.
These are some of the things that happened.
For example, here we’ve got a trigger task which was a transfer from the edge from Chrome.
Some information about there.
So in this way you can search by bits, you can add them to everything or just look at them individually.
So that’s a new artifact we now parse in three dot 4.0. We hope that you find that really useful.
Alright, so the last thing we want to cover today is the new file reputation service embedded within cyber triage from recorded future called the recorded Future malware sandbox.
So recorder feature has recently acquired hatching, which was a fantastic malware sandboxing tool, allowed you to submit suspicious files to their service and then receive all sorts of relevant information about that file and how it works.
So in an integration with them, we now have that capability for you within cyber triage.
So if we go to our bad items, for example, you click down here, see?
Some stuff here.
What have we got?
Performance tester EXE.
So now if you think a file may or may not be bad, you want to check it and run it through this sandbox.
You simply right click on it and you’ll come down to submit to recorded future sandbox.
So this is going to allow you to get a little bit more of an understanding of the threat you’re facing or not facing and immediately kind of get a jump on mitigating that malware in your networks if that’s the case.
So for our purposes here, we’ll go ahead and submit, click on submit and we’ll bring up a dialog box.
And this is going to show you that you’re about to upload this file to the recorded future sandbox.
Now, Cyber Triage has its own enclave within the recorder feature sandbox.
So this is not going to the public repositories, this is going within the cyber triage enclave.
So your daily is not available to outside third parties.
Want to give you this privacy scope just in case.
So will not be made publicly available, but the analysis results, IP addresses, etcetera, will be anonymously integrated into recorded future for their threat intelligence feed.
So that’s what we’ve got and if you’d like to, if that’s OK with you, say yes.
And then to view that data, what you’re going to do is come back to your dashboard.
In these status.
Widget here online file reputation you can click on details.
And it’s going to bring up our file reputation, service status.
So we have a new tab over here called the recorded feature sandbox results, and it looks like it’s already returned that normally it takes about 2 to 3 minutes.
It may be cashed in some way in my computer, but normally about 2 to 3 minutes for each file we’ve sent up so far.
And you click on that and it’s going to give you kind of a, hey, this either was or was not malware as we recorded it.
And that’s the recorder feature gave us those results.
So you don’t have to go out to an external program to do that.
You can just do it right here and it’ll give you.
A lot of that malware data.
OK, so I’m going to interrupt the video for just a minute.
I wanted to take a moment to show everyone what a report result would look like for something that actually came back as malware.
So even on my personal computer, I’m lucky enough to have it for the demo purposes.
I want to make sure everyone’s able to see it.
So if you have something that is actually bad or has more information to it, you’ll get the summary, the analysis, the signatures, and the processes that create.
So that’s all available again within separate triage, and that’s what it would look like if you actually found something.
They’re closely related or was actual malware so.
Just a quick highlight there.
Alright, we hope that’s a really useful for future for you and that’s going to do it for the recorder feature integration.
Again, if you have comments on that, if things you’d like to see, things like to add, please reach out to us at firstname.lastname@example.org.
And then I’ll do it for cyber trees three or four.
I know we hope you really enjoy it.
If you have any questions, comments, please feel free to drop us a line of email@example.com.
You can get your free eval copy at www.cybertriage.com.
And as always, please like and subscribe if this was helpful to you and like to get regular updates on cyber triage.
We really appreciate it.
Thanks so much.