Quick Start: Analysts
Each user's function working with Stellar Cyber can vary. In many deployments, the administrator will have a different perspective than an analyst. After reviewing the main Getting Started topic, this sequence may be helpful as a starting path:
-
Stellar Cyber's default home page is the XDR Kill Chain. Familiarize yourself with the concepts of alerts, cases, and the kill chain from this screen.
-
Then select an case and drill down with context to a case detail screen. Familiarize yourself with the tabs and menu options on screen and interact with the case graph.
-
From the tabs above the case graph, select the Alerts tab to show which alerts contributed to that case. Select one of the alerts and click the More Info button to open the Event Details for that alert. This, in addition to the Home Page, is a great tool to see all the relationships of objects in the Stellar Cyber interface. From here, you can see Open XDR Kill Chain information and fields that contribute to the machine learning process, alert descriptions, and scoring. You can take actions from this pane, such as filtering and tagging. And, depending on the source of the data, you can perform external actions such as blocking on a firewall. Lastly, you can view Stellar Cyber interflow records from this pane.
-
Separately, navigate to Investigate | Threat Hunting. Change the filter parameters, particularly the Index menu, to understand the relationship of the different data control tools on this screen. Selecting the correct index for your query is key to using Stellar Cyber effectively. In particular, note the difference between alert data and traffic data and syslogs. For example, data you ingest from sensor parsers, rather than connectors, are likely associated with the Syslog or Traffic index. Take a moment to compare what you see when you change the Index menu to the two index reference topics: Machine Learning Alert Types by Index and Index Definitions & Details.
-
Spend a bit of time in the Visualize menu to understand how Stellar Cyber dashboards play a role in the user interface and reports.
-
Explore the automated threat hunting actions from the Respond | Automation menu. You can configure automated playbooks to trigger when certain data and conditions are observed and to perform one of several possible actions upon being triggered.