Since Tetration has visibility both inside the endpoint and the traffic flowing through the network, it gives us some amazing forensic analysis capabilities. In this post, we will review some of these powerful capabilities but this is far from all of the forensic features in Tetration.
Tetration can alarm when it sees a command it’s never seen before, privilege escalation, side channel attacks, meltdowns, etc. We can create specific alerts for certain events or broader alerts under the Forensics Config:
In the Forensics Analysis dashboard, we can start an analysis for a certain day, time, or range using the bar on the top.
We can also filter based on a selection of event types as shown below.
Let’s say we pick the privilege escalation event type and sees a specific event as shown below.
We can then click into it to see that security event in more detail.
As we moves our mouse over the timeline and selects events, Tetration will give more information on what happened, what the user did, and paint that picture in more detail:
Another example might be a failed logon event as shown below. Tetration can show how the user attempted to login through SSH and everything they did after they were able to successfully log in.
Tetration has a dashboard called the Lookout Annotations List for lists that Tetration can download and alert on. Tetration comes with a Bogon list for IPv4 already but anyone can manually add their own list of IP addresses or feeds. After they are added, Tetration will look for flows going to or from those IP addresses and alert if it sees anything.
If we use Tetration for creating and pushing whitelist policies, we should already have the traffic being blocked to these IP addresses but with Lookout, we can be alerted if the servers even attempt it regardless of whether it is blocked or not.
Tetration also has a Flow Search dashboard. Tetration can put together a conversation that happened over a link using this search.
On the flow search, we may also search for additional details such as SRTT and by clicking on a flow, we can get more detail on it:
The flow details also display a graph of the flow and we are using ACI, we can drill into the path of the flow through the ACI fabric.
By clicking on the flow path, Tetration will illustrate the path of the flow through that ACI fabric.