The left pane has a ranking of users and hosts based on a risk score made up of which policies, sensors, and alarms were triggered. this gives the operator easy visibility into which hosts or users are more consistently “misbehaving”.
In the next pane is a running list of sensors ranked by risk score. I like this because it’s adjustable based on the severity you’re interested in, and it updates automatically, so you can watch the sensors roll in. This isn’t necessarily useful in day to day activity, but I know personally during active incidents I’ve set up rules to catch certain TTPs, and running queries so that the SOC can see immediately see if a rule has been violated. With Reveal, this functionality is built right into the landing page. An operator just needs to make sure that the policy of interest triggers a sensor, but more about policies later.
The third pane of the landing page brings me around to one of my favorite Reveal V5 features: cases. In the right-most pane, a Reveal operator can see the latest open, ongoing cases. This isn’t a mind-blowing feature, but it does make it really convenient to jump back into something you were working on or to collaborate with your team. That being said, I’ll elaborate more on “cases” in Reveal.
Reveal operators now have the ability to create “cases”. Cases are essentially a collection of events, notes, and images related to some notable security event. The obvious workflow would be to create a case for an alarm raised by the Reveal machine learning. An operator could create a case, add relevant events collected by a Reveal agent, adding screenshots, images, notes, and links to the case as necessary. Even better, cases are collaborative so teams can work together. One scenario that particularly lends itself to the use of cases is that of an active incident. Sometimes when responding to an incident you have to compile a variety of events (file system, network, execution) that occur across a variety of hosts in your environment. With the advent of cases in Reveal, it’s easy to do this and keep track of what matters to you.