Analysis is an integral part of Trigger-it, and Trigger-it provides system/network and Cyber Security professionals with various tools to analyze and get insights about managed endpoints.
This article will show you how to perform basic investigation using endpoints view.
The Analysis menu is available when you right click on any endpoint
The analysis menu contains the following analysis options:
- Performance Insights: This allows you to open a Task manager like chart which gives you insights about CPU/Memory and Disk utilization on this endpoint.
- Analyze Network Traffic: Allows you to display all network traffic generated from this endpoint during the selected time range.
- View Failed Security Events: Allows you to see all failed security events pulled from the Windows Security log from this endpoint.
Working with Performance Insights
Trigger-it agent pulls performance information every 15 minutes on managed endpoints and collects:
- CPU Utilization.
- Memory Consumption.
- Disk IOPs.
Additionally, Trigger-it collects Top 5 applications that consumes each element (CPU, Memory or Disk) to help you understand what is causing performance issues.
Once you load the performance insight screen, you can select the time range that you want to conduct you analysis through, select the time range:
Once you select the time range, the grid will display the data:
You can see the top 5 applications using CPU/Memory or Disk for every data point.
Additionally, you will see the average utilization in this period along with top 5 Apps consuming the element during this period, hovering over it will make it displayed with black and stronger font for better display:
Performing Detailed Network Traffic Analysis on Endpoints
Suppose that you want to investigate a performance issue on a certain PC, or understand the type of outbound/inbound network traffic for a cyber security investigation, how would you do that.
What is unique about Trigger-it that it doesn’t only show you the destination IP/Port and Total Traffic, but it gives you more advanced insights about:
- User generating the traffic.
- The Process that generated the traffic for every traffic element.
- Average latency for each process connecting to each IP it tried to connect to understand performance issues and implications.
This gives you a superior insights not available in traditional network monitoring tools that relies on Netflow or Firewall logs.
Using Trigger-it you can perform advanced network analysis on single or a group of endpoints to understand their network traffic behavior, to do so right click on a single endpoint and choose Analyze Network Traffic and choose the desired time range.
You can perform more advanced reporting and analysis for multiple computers using the Network Analytics section in the menu.
The Network analysis grid will be displayed with all the information from the database including:
- Source Device
- Current User
- Destination IP
- Port/Protocol
- Process that generated the traffic
- Total Traffic Sent
- Average Latency
- Time Stamp
The grid offers sophisticated grouping capabilities for Example
Display Total Traffic Per User Per Process
To do so, Drag the Username Field to the grouping bar:
This will group the traffic by username.
Drag the total traffic field to the grouping panel:
This will group the traffic per process.
To Display the total traffic per process, right click on the process field and choose Group Summary Editor:
Choose Total Traffic and Sum as aggregation option
Immediately, you will see the data aggregated:
To restore the layout, right click on the grouping panel and choose Clear Grouping
You can conduct further analysis from the network analytics to:
- Find PCs Running the same Process
- Find PCs Connecting using the same Protocol
- Find PCs Connecting using the same destination IP
- Find File Changes on this PC
- Find Users’ Activities on this PC
- Find Changes on this PC (which will display Software/Hardware/Startup Items/Updates/Local Admin Changes).
This allows you to conduct sophisticated analytics using the same console and from the same context without having to use multiple products or plugins.
Perform Failed Security events tracking
Trigger-it agent pulls application crash events, system crash events and failed security logs from Windows Event log from every managed endpoint and sends them immediately to Data Processor to process them and store them in the data base.
Using the Analysis menu, you can select to display all the failed security audit events on this machine.
In order to pull failed login and detailed failed audit events, logging must be activated and enabled using Group Policy on each endpoint or enabled using Registry Keys.