This picture illustrates how a network security administrator can go forward in time to assess the spread potential of the threat reported through the IoC event along with possible changes in the behavior of the user SS who caused the IoC event. For example, after the said user SS starts to have communication with the Redmine server, then user N starts to communicate to Redmine which in turn is communicating with Git. Likewise, it would be possible to go back in time to observe the behavior of the user SS before the IoC event. This might give some insights about what originated the IoC event in the first place.
Notice that it just provides a snapshot of the network around a window of some period of time. For additional value, scores that describe the importance of the network assets influence the appearance of the graph.

 

Specific Use-cases for Threat Graph´s temporal analytics

  1. Identify behavioral changes after an IoC threat detection. The network security administrator can easily identify a device that has changed its behavior after the IoC event – for example, communicating with servers it has not accessed before.
  2. Find the potential origin of the IoC threat detection. The network administrator can identify the events that could have produced the IoC hit. This is intended mostly for a case when the IoC results in a block of the IP’s traffic by Threat Defender.