1.4. Scores and Labels¶
Cyber Triage uses scores and labels to allow you to report on your findings. The basic difference between the two is:
Score represents how likely the item is to be related to a security incident (bad, suspicious, etc.).
Label represents WHY it’s relevant. Most labeled items also have a score.
1.4.1. Scores¶
Scoring is a core part of how Cyber Triage makes you more efficient. Scores come from two basic approaches:
Automated analysis pipelines that start when data is ingested.
Manual scoring applied by the examiner. These scores overrule any automated analysis scores.
The scoring algorithms are dynamic and the score of an item will change as it and other items go down the pipelines.
1.4.1.1. Score Levels¶
The following scores can be assigned:
Bad: The associated item is very likely to be associated with an attack. The approaches used to assign this score have low false positive rates. Examples include multiple malware scanners, bad lists, and threat intelligence from past incidents.
Suspicious: The associated item has characteristics that make it anomalous or similar to what is seen during an attack. But, it could also be normal behavior and the examiner should make the final decision. Examples include logon behavior or usage of programs.
Good: The item was part of a “Good List” or manually identified as good. This score is for items that are OK and not associated with an attack.
Unknown: The item’s relevance is unknown. All items start as ‘Unknown’. You can downgrade a Bad or Suspicious item to be unknown if they original score was a false positive.
Your initial responsibility is to confirm the Bad items and decide on the Suspicious items. You can also review the other unknown items and score them.
1.4.1.2. How To Manually Score an Item¶
In various parts of Cyber Triage, you’ll be able to change the score of an item after you’ve selected it in a table.
Change Score¶
Bad: Use this score if you know the item is related to an incident and want it to be reported on.
Suspicious: Use this score if you want to make sure you review it again in the future. This can be used as a bookmark for your workflow.
Unknown: Use this if the current Bad or Suspicious score is not correct and you want to “undo” them, but not declare that the item is Good. This item could go back to bad or suspicious in the future from automated pipelines.
Good: Use this score if Cyber Triage® marked and item as Bad or Suspicious and you want to make sure it is treated as Good no matter what. No automated analysis pipeline will override this.
After you change a score, you may also want to consider using the:
Add Comment button to store free-form text about the item. This will get included in the final report and be visible to future investigations that come across the same item.
Add Label button to apply a label (tag) to the item. You can use labels however you want, but the intended way is to describe why the item is relevant or how you want to organize reports. See Labels for more details on label management.
1.4.1.3. Score Propagation To Other Instances¶
When you change an item’s score, Cyber Triage will recommend additional items:
- Other Instances on the Same Incident: If you change the score of an item to Bad, Suspicious, or Unknown, and it occurred other times in the incident (same host or other hosts), those will be recommended. For example, if you change the score of a process and that process ran dozens of other times, then those will be recommended. If other instances come in after you change this score, then:
If you changed the original score to Bad, they will be automatically scored as Bad
If you changed the original score to Suspicious or Unknown, then you’ll have to change their score
Future Hosts: If you scored an item as Bad, Cyber Triage will automatically apply that score to future incidents of that item as well. This behavior is applied only for Bad scores and has certain checks to not propagate “Living off the Land” processes. See Previous Incidents.
Making manual score changes will never impact the Good or Bad Lists. You will need to explicitly add items to those.
1.4.1.4. Score Propagation to Related Items¶
Cyber Triage will also recommend related items when you score an item. A related item is one that uses the same path, process, etc.
The idea is that you may find these other items interesting and you should follow up on them. You will get a dialog such as this:
Recommended Threats¶
In this example, we marked a DLL as bad and it recommend a process that had loaded that DLL. It also recommended two additional hosts that had the same DLL. By default, they all get scored.
1.4.2. Labels¶
1.4.2.1. Basic Concepts¶
While scores are the primary way in Cyber Triage to identify which items are relevant to an incident, you can also use labels as a way to organize the results. The common ways of using labels are to:
Describe why a bad item is relevant. For example, labels of “Lateral Movement” or “Initial Access”.
Group related bad items. For example, if a previous incident was detected while analyzing a host, you could use a “2022 Incident” label to group the previous incident.
Track settings or items that are not related to the incident, but you want to keep track of to make future recommendations. For example, if you notice an OS setting that is incorrect, but it wasn’t involved in the incident, you could create a label to follow up on it. In this case, it is not appropriate to mark it as bad or suspicious since it wasn’t involved in the incident.
1.4.2.2. Adding a Label¶
Before you can add label to an item, you must define the name name. To do so, go to Options panel and choose “Reporting” / “Custom Labels” tab. Pick “New Label”.
To add a label to an item, right click on it and choose “Add Label”.
1.4.2.3. Viewing Labels¶
You can see the effect of adding a label in several places:
The label names are added as a column in the Review Notable Items table
In the “Examine All Items” section, you can go to the “Labeled Items” view, found at the bottom of the left-hand navigation.
The labels are shown in the Excel report
The labeled items are shown in the “Notable Items” incident-level UI.
1.4.2.4. Removing a Label¶
You can remove a label from an item by right clicking on it and choosing “Remove Label”.
You can remove the label name from the system by going back to the Options panel. When it is removed from the Options panel, existing cases that use that label will continue to have it applied.
1.4.3. Scoring Keyboard Shortcuts¶
If you would rather not use the mouse and prefer keyboard shortcuts, you can also apply scores as follows:
Keyboard Shortcuts | |
|---|---|
Keys | Meaning |
SHIFT + B | Bad |
SHIFT + S | Suspicious |
SHIFT + G | Good |
SHIFT + U | Unknown |
SHIFT + C | Add Comment |
CTRL + Z | Undo |