Stories are collections of Leads that were correlated and are likely to be a part of the same incident.
Bringing together various activities from multiple data sources and displaying them in a single view, greatly reduces the need for investigating isolated alerts and helps to gain a more comprehensive understanding of the context of incidents
Stories are generated using an algorithm that identifies similar entities within different leads and organizes them using a graph database.
Roles of Leads in Stories
While learning how a story is born, we must understand the difference between two different roles that leads play in stories. Leads can be defined as either Core or Leaf leads. The role of the lead depends on the Confidence score of the lead. Learn more about Confidence levels.
Core Leads
A Core lead is any lead with a confidence of Possible or higher. Possible confidence scores that will constitute a Core lead include:
- Possible
- Likely
- Very Likely
Leaf (Extra) Leads
A Leaf lead (also may be called an Extra lead) is any lead with a confidence of Unlikely.
How a Story is Born
For a Story to be created, there needs to be a correlation of 2 leads or more, where at least one of the leads is a Core lead. Once a Core lead is correlated with additional leads (other Core or Leaf leads), a Story will be created.
Story States
Stories have various states that are controlled by the user to record their final decision on the story's disposition (e.g. malicious or benign). As you will learn later in this page, the states of stories may change as the stories progress over time, even without user intervention.
- New - this is a Story's default state.
- WIP - this state is used to for when a Story is still being worked on, i.e. Work in Progress.
- Done - this state is used once a Story has been fully analyzed.
- Reopened - this state is used once a Story has been reopened after being previously in a Done state.
Tags
Tags allow to classify the category of a story. It is important to note that tags have no effect on the story aside from its display (i.e. the Story's score will not be impacted in any way, nor its status).
Available Tags:
- Pen-Testing
- Red Team
- Bad Practice
- Malicious
- Authorized Activity
- Irrelevant Correlations
Leads Classification
A user can classify leads in the UI (inside a story or from other pages) as Malicious or Benign. Marking a lead as benign will remove it from the story.
Story Evolution
As more signals are detected in the environment, they may create a new story or be added to an existing one. Stories can be thought of as evolving entities that change over time. They may expand, shrink, merge with other stories, or split as more information becomes available.
In addition to the detection of new signals, the ongoing work with leads (e.g. classifying them) also impacts the behavior of stories.
This flowchart demonstrates the evolution of Stories:
Story Evolution and UUID changes
A new Story with a new UUID will be created when:
- A new story was created based on new core leads that were never seen before
- An existing story is merged: Multiple Stories share the same core lead and are merged into one
- An existing Story is split: The core lead connecting 2 stories ages out (14 days) or gets deleted
- Core lead change - Core leads are added or deleted
Q&A
What happens when I classify a core lead in a story as benign?
If the lead was part of another story with other core leads, the story will split (two separate stories will be created) inheriting previous leads, comments, etc.
What happens when I classify a leaf lead in a story as benign?
The lead will be removed from the story and will change the story's score, without any other additional effects.
What happens when I classify a leaf lead in a story as benign and then as malicious?
When classifying a lead as benign it will be removed from the story and will change the story's score. When classifying the lead as malicious, it will return to the story.
What is the story's status when two stories merge?
See table below:
| Story B: New | Story B: WIP | Story B: Done | |
|---|---|---|---|
| Story A: New | New | WIP | New |
| Story A: WIP | WIP | WIP | WIP |
| Story A: Done | New | WIP | Reopen |
Can I exclude certain leads or detectors from getting correlated in stories?
Any lead with a confidence of Very Unlikely will not be correlated in stories. You can use custom scoring rules to set the confidence to Very Unlikely for certain conditions of a detector, and that way, exclude leads from being included in stories.