Investigation tools
The Pivot function
10 minutes
What is the pivot function?
The pivot function allows you to access other data linked to an analyzed object (condensates, binary, process...).
From an information linked to a process (process name, Fullpath, condensates), the pivot function will allow you to highlight identical information on the entirety of your computer system .
For example, you can visualize the processes through the process tree of a security event!
What is the pivot function?
Click on an unsigned process
This is the process tree view
It allows you, from one condensate, to know all the binaries with the same condensate amongst your collected data (executed binaries,
What is the pivot function?
Click on a blue artefact to get more details
Summary view of a Security Event
This function is very convenient: you can quickly and simply display every piece of equipment on which a malicious code has been spotted.
Available on many pages, the pivot function can be identified by blue artefacts. When clicking on one of them, a new window will open with a couple of tabs.
Binary
Click on the information button
This tab allows you to visualize already known binaries associated to the artefact. By clicking the information button, more details will be displayed. You can also download the targeted binary.
Security Events
Through this tab, you can visualize security events linked to an artefact.
Processes
Here, you will find all the executed processes linked to the artefact. Those can be listed per status and integrity level for more visibility.
Drivers
Here are all the drivers linked to the artefact.
Telemetry Processes
Click on the information button
Through this tab, you can review all telemetry events linked to an artefact. By clicking on the information button, you will gain access to the event linked process tree.
Persistence, Yara et IOC
The three last tabs: Persistence, IOC and Yara will be useful if an investigation job has priorly been launched and the results are now available. - Persistence shows you persistence information linked to your artefact (for example, associated keys to your base registry). - IOC and Yara show the positive results when looking for specific markers linked to the artefact on your computer park.
To sum up
Therefore, the pivot function allows you to: - get an overview while investigating on a suspicious artefact, - pivot on other suspicious artefacts to extend your analysis. From each tab, you will be able to pivot non new data to identify all information linked to this new artefact.
Investigation data
The pivot function
Congratulations!
Don't forget to share your impressions through the comment section on the right of your screen!
Detection - Investigation tools
Formation HarfangLab
Created on August 23, 2023
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Interactive Hangman
View
Secret Code
View
Branching Scenario: Academic Ethics and AI Use
View
The Fortune Ball
View
Repeat the Sequence Game
View
Pixel Challenge
View
Word Search: Corporate Culture
Explore all templates
Transcript
Investigation tools
The Pivot function
10 minutes
What is the pivot function?
The pivot function allows you to access other data linked to an analyzed object (condensates, binary, process...).
From an information linked to a process (process name, Fullpath, condensates), the pivot function will allow you to highlight identical information on the entirety of your computer system .
For example, you can visualize the processes through the process tree of a security event!
What is the pivot function?
Click on an unsigned process
This is the process tree view
It allows you, from one condensate, to know all the binaries with the same condensate amongst your collected data (executed binaries,
What is the pivot function?
Click on a blue artefact to get more details
Summary view of a Security Event
This function is very convenient: you can quickly and simply display every piece of equipment on which a malicious code has been spotted.
Available on many pages, the pivot function can be identified by blue artefacts. When clicking on one of them, a new window will open with a couple of tabs.
Binary
Click on the information button
This tab allows you to visualize already known binaries associated to the artefact. By clicking the information button, more details will be displayed. You can also download the targeted binary.
Security Events
Through this tab, you can visualize security events linked to an artefact.
Processes
Here, you will find all the executed processes linked to the artefact. Those can be listed per status and integrity level for more visibility.
Drivers
Here are all the drivers linked to the artefact.
Telemetry Processes
Click on the information button
Through this tab, you can review all telemetry events linked to an artefact. By clicking on the information button, you will gain access to the event linked process tree.
Persistence, Yara et IOC
The three last tabs: Persistence, IOC and Yara will be useful if an investigation job has priorly been launched and the results are now available. - Persistence shows you persistence information linked to your artefact (for example, associated keys to your base registry). - IOC and Yara show the positive results when looking for specific markers linked to the artefact on your computer park.
To sum up
Therefore, the pivot function allows you to: - get an overview while investigating on a suspicious artefact, - pivot on other suspicious artefacts to extend your analysis. From each tab, you will be able to pivot non new data to identify all information linked to this new artefact.
Investigation data
The pivot function
Congratulations!
Don't forget to share your impressions through the comment section on the right of your screen!