Name: Taegis Unlocked - Episode 10: Power BI Reporting with Taegis XDR
Uploaded: 2025-03-27T04:16:05.468Z
Duration: 1 h 30 min 4 s
Description: Taegis Unlocked - Episode 10: Power BI Reporting with Taegis XDR

Transcript for "Taegis Unlocked - Episode 10: Power BI Reporting with Taegis XDR": Good morning, good afternoon, and good evening, and welcome, welcome, welcome, folks, to another episode of Tejas Unlocked. As always, I'm your host, Christian Warnett, and I'm very excited to be here today, for the topic that we have selected. It's reports that resonate. And, folks, I want to thank you folks for, a, for attending, and, b, for providing the valuable feedback that has got us to this topic today. And so thank you for your input, and, and thank you for being such a active and vocal member of the Tejas community. Now before I get, too far into today's agenda and, and topics, what I wanted to do was take, take a look at a few, as always, take a look at a few housekeeping, bits of information. So as you know, this is a recorded, session. And, and if you get called away for that pesky little thing called work, and that and that gets in in your way of the next hour, don't worry. We're we have this recorded. You'll have access to this, recording after the fact. As well as any of your staff that, or team members that may, that may miss this, don't worry. Again, they'll have access to this as well. For those of you that are collecting the CPE credits, at the end, we'll have some information there. I know as a, you know, an ISE squared member and and a person who has earned my CISSP quite some time ago. I don't wanna have to go through having to write that exam again. It's big. And, CPEs are a great way to keep that satisfied. As well, I wanna show folks, as you can see there, there are some items that you can tailor to make your viewing preferences a little bit more tailored to your desired viewing, needs. So make sure you have a look at that and and adjust where necessary. So the the agenda today is, the same as it always is with Tejas, unlocked. We start off with chemistry with Christian, and then we'll proceed to that special guest, and then we'll do some closing remarks and some q and a. And so what I'm gonna do is, I am going to move over to my screen share, and then we'll start off with chemistry with Christian. And here we go. So as you know, I always like to start with what's new. And I had, you know, I had some trouble, as I always do, selecting what I wanted to put here, whether or not this should be in what's new or what's helpful. I put it here because we have a couple good topics on the what help what's helpful side. But this is a really, really solid document. It's essentially 25 items, little nuggets, if you will, of information from things like, ransomware, cybercrime costs, AI, crypto crime, and, and and how ransomware is evolving, insights into so things like c suite turnover, employee training. It's a real interesting read. And I found that there's a a a good amount of insightful, little nuggets that I think you'll find, useful. So please, make sure you go and take a look at that. And we'll have, a link to this as well. I also wanna highlight, our release notes so folks can sort of have a, you know, a bubble up feed into some of the things that, with respect to the update cycle Intagious XDR. So we have several AI based features that we're opening up to folks that are using preview mode. Now most folks start off in, you know, in in production stable. But if you go into your profile, you can change that over to to to preview mode. And why this is important is it really, you know, focuses on AI. Or this particular release that I'm talking about really, really double clicks on AI and how, AI assists our SOC, how it assists our, you know, our partners, and and now you folks as well. And really quickly understanding the information that is is coming in, and really dissecting at a much faster rate with precision what's going on. And when I say precision, you know, we're talking about using AI, to pivot to finding what's going on and being less prone to making mistakes. So these interpretation misconceptions. So it's not only speed at reducing risk or or perhaps the risk of an analyst misunderstanding something that they're looking at, but actually, finding those true positive with malicious threats really quickly. So you can see here, you know, from an AI explainer's perspective, we've got an alert analysis, AI explainer, a detection logic capability, that that that uses AI to let us know what, you know, what's happening from a detection perspective, as well as the real tough one, command line and script block. Okay? So that's something that, I encourage you folks to to take a look at. Now what's coming? What's coming is this concept of the tenant profile. And in fact, this is not really coming. It's here. But there are things that are coming that we're going to be interacting with you, on an ongoing basis over the next several cycles. So this is all about getting some intimate knowledge as you can see on the, you know, six fields on the right there. Intimate knowledge of your environment so that that knowledge is available to our SOC and and, really, the defenders, so to speak. Okay? So we're having, we've been having discussions internally on on how we can improve and, you know, the engagement and the intimacy and the, really, the understanding of your environment. And customers have told us, hey. Look. We wanna let you know some things that we have in our environment to help maybe provide some more clarity and and and context in into what's going on. And that is what this initiative is all about. So, for example let let me let me just show you this as an as an example. And this is a tiny little sneak peek of what we're going to be doing when we come and actually chat with you folks. What you see here is a is a sample bit of information. And and, really, on the left, there's really no tenant profile information, to contribute to the root cause analysis. And so because of the lack of information or the lack of one, you know, piece of information, what's gonna happen is a high severity alert is gonna be surfaced. But on the right, with the VPN information, so that exit IP range is now now it's known. We can tell while we're doing our root cause analysis that this isn't nefarious. This is actual legitimate traffic here. And the upshot with this is we're not going to create an investigation, at least based on this bit of information, because we know this is an actual, legitimate IP address and not, the example of, say, you know, Superman travel or high velocity travel situation. K? So stay tuned for that. Now what's helpful? I've got two of them today, actually. One of them, focuses on alert noise reduction. And that's sort of fitting with, you know, with, you know, the tenant profile discussion that that that we just had and we're going to have. When it comes to, you know, bringing data into the platform, we wanna make sure we're bringing data into the platform from all corners of your environment, but we're also using it to drive outcomes. And sometimes, that requires some fine tuning. And so this this article here is gonna discuss, really, and provide some some methods for reducing alert noise, for reducing, ultimately, investigation noise so that the real threats get the attention that they need. And, it's just a great, discussion billable best to reduce noise in the environment. K? One of the other things that I wanted to highlight is, this article here that's all around our targeted threat hunts that are part of the managed XDR monthly engagements. Some folks aren't even aware that this is a thing that's occurring. And so what I wanted to do is I wanted to call this out so folks could have a quick read to understand, what's going on, to understand how to interpret, these monthly threat investigations, and, really, the best way to make use of this data as well, you know, from a background, technical analysis, and then and then recommendations. So this is a great and very short read. It really highlights some of the power that is, happening in the background that you might not often see. Okay? Lastly, from, what's helpful, I wanted to come into the help center, and, I wanted to highlight a few things. And you've been in here before. You know, the help center is that place where you can see recently published articles, recently updated articles, and, you know, important things like tickets. If maybe you've got an open security ticket or an open ticket with product support, asking for assistance for this, that, and the other thing. And if there's any tickets that are awaiting, your feedback, your input. Okay? As you you've seen before, you know, the Tejas, help center has this concept of topics. Okay? There's a new one, a Tejas Reels topic. And these Tejas Reels are really short, informative. Well, some of them are short. Some of them are medium. Some are not as short as they you know, as maybe to be classified as as short because it you know, some of them are five minutes, some ten. The odd ones, beyond that. But, really, this is an inventory of video walk throughs on how to do certain tasks within Tejas and, say, some integrations or automations or automations in action. Okay? This is a growing list, and, I encourage you folks to take a look in here to see if there's something that, you might wanna see a little bit more about. And, also, folks, if there's something on here that or if there's something that's not on here that you would like to see from a, you know, from a video walk through or how to instructional, type thing, reach out to your account team, and and and we'll see if that is something that we can look at getting actioned. Okay? Now in the news, I've gone out, and I've I've found an article here. And and that's what this article is. This article is all about, a particular threat that is kind of reemerging. And I like to say there's a new sheriff in town or maybe a new rat in town. Rat, what's a rat? It's a remote access Trojan. This is really a kind of a rebranding or an old tool that's got some new paint and polish. And the article talks about, you know, this Remcos RAT, it how it targets Windows devices, how it can result in a complete takeover. And while, you know, this type of information isn't new, this type of activity, and and, actually, this type of behavior isn't new from from from this particular, threat actor. Some things have been changed so that it kind of evades, you know, previous detection pre pre previous CVEs. And so what you're gonna find in cybersecurity is what, you know, what is old is, once again, new. That kinda goes through this cycle. Threat actors are good at what they do. Us defenders, you defenders, we're you're good at what you do, but the threat actors are always trying to get around some things. And what they'll do is they'll not completely change what they're doing. They'll change a couple things just enough to trip up, detection logic and and and things like that. And so what you commonly hear from me on this segment is when you see something and and, you know, there's a new, you know, there's a new CVE, for example, like what you see here, you'll, you know, you'll always hear me say patch, patch, patch. So when critical flaws are identified, or things like this, we need to be able to identify these. We need to be able to close and remediate those flaws. So think an open door, think an open window or an unlocked door, an unlocked window. We we need to do what we can by by patching these, solutions as quickly as possible to make it harder for the threat actors to work. K? You'll also you know, for those that have been here before or have listened to some of these recordings in the past, you'll hear me say patch, patch, patch. And when you can't, I always like to focus on compensating controls. So things that you can put either in front or around of this resource to protect it while you're waiting to hit that patch cycle. And then if you can't do that, I always like to recommend architectural design patterns. So maybe something like an island, where a resource is dedicated to an island that doesn't have, you know, typical user traffic. Something like that. But one of the things that, you know, that I don't talk about often is, you know, people training. You know, this is we focus on patch. We focus on architectural design principles and compensating controls. But, folks, people are often the first line of defense, especially when a, you know, when an email comes in, and that email is is coming in asking for, say, hey. You know, $9,000 of of of an Apple card, and I'm a VP. So so you should really do that. We need to prepare folks to be able to identify, you know, when these suspicious or weird emails are coming in from known and unknown subjects. Okay? Because, again, they're the first line of defense. Okay? So it's not just always about technology. It's not just always about, you know, relying on on, on patching and compensating controls. Our people. Very important. Our people. Okay? And, one thing other you know, another thing that I wanted to, highlight here again, this is I'm logged into the portal here. You may have seen this, you know, last a couple of weeks ago now. We've got an authentication provider migration. You're gonna see this nice new splash screen when you're logging in. So make sure you're, you're aware of that. You can learn more by clicking the learn more when you hop in. And then folks for folks that, haven't, you know, seen how to get to some of the documentation, if you go to the bottom left, you're gonna see your help button. You can get to that help center. You can get to the Tejas documentation. And as well, if you recall, I said for folks that need to or want to switch to a different type of feature set, okay, from a from a display perspective. This is where you would move from production to preview. Some folks have private preview, but that's not something that's that's really standard. So I just wanted to take a minute to highlight that. And, that happens to be the end of chemistry with Christian. Now today, I wanna welcome my, a special colleague of mine, a a a fellow that I've been working with for a number of years here, at Securics. His name is mister Justin Davis. He is going to be talking about reports that resonate. So using Power BI, really to access the data in Tejas, to make that data, dance, to make it look like what you wanna look, want want it to look like, to reflect or articulate the data that you need to for the business and for yourself. It's really to understand and and ensure you're representing the great outcome that Tejas can provide. So without further ado, I wanna welcome mister Justin Davis. Thanks, Christian. Honored to be here. So I'll just talk a little bit about me. I've been with Secureworks a Sophos Company for a bit over six years, and I came to Secureworks a Sophos Company to do custom SIM development and architecture. Prior to Secureworks a Sophos Company, I was doing incident response, SIM development, essentially level four triage, for the SOC. I've had a lot of experience in understanding security operation flows and measuring, the different types of metrics that we needed to understand whether we were being effective, the types of mitigating, controls we needed to put in, and how to, you know, report that effectively to our leadership. And so after, the custom SIM team, turned into the Tejas professional services team at Secureworks a Sophos Company, I worked on developing the premium onboarding service and the custom integration service, and also did a lot of odds and ends, you know, worked on different Python scripts, PowerShell scripts for customers for data ingest and interacting with other third party systems. And then I moved over from our professional services team to the presales or sales engineering team where I do a lot of the, the odds and ends still, being a subject matter expert in some domains where I can be. No one has all the answers, but we're a a very effective team, together. And then I also try to fill some product gaps. I work with our product management and engineering teams to understand customer desires. I relay some of those desires I've heard myself, and I try to build some of the solutions where possible, as a force multiplier for our product teams. And so the Power BI capability that we're gonna talk about today is something that I was able to develop on my own and then, well, you know, add to, our product for free, essentially. So, without further ado, let's get into that. So we're gonna talk about a few things. I first wanna preface the, you know, the the discussion with a a little talk about metrics and what they mean and and what the end goal really should be. And maybe you already know all these things, but I wanna make sure that I can frame that, and and the intent behind Power BI reporting and just reporting in general. Then we'll talk about how to actually use this template that we have on our website. It's on our documentation in under the API's page on the left sidebar, you'll you'll see there's a Power BI for XDR page, and there's a download there. So we'll talk about how to implement it. And then we'll I have a couple slides in the screenshots, just in the slides so that you can follow along. Or if you don't have time to watch the full recording, at least you can page through those slides and you'll see a couple. And then we'll talk about, next steps as well and how to implement this, use it within your business, and, move forward with reporting useful reporting. So talking about who, you know, reporting is for, who this Power BI template is for, well, it's really for for anyone who wants to gain insight from data that they already have to understand trends and drive specific outcomes. And Christian Warnett used that word outcome, and I think that's a really important thing to focus on. You know, you could put 10 different numbers in front of 10 different people, and they would all interpret those numbers differently. They're gonna say, oh, this is a really long resolution time or, wow, we have a lot of critical alerts or, wow, this person is doing 90 of the work or whatever, and they're gonna focus in on very specific things. And depending on what someone sees in that data, they might take different actions. Right? And so we I wanna think about personas and and who you know, where you might sit within your business and the the things you're responsible for and the outcomes you're trying to drive within your organization. And so for example, if you're a SOC manager, your goal is probably to reduce response and resolution time so that your analysts are responding to things faster. They're resolving them quicker. But, you know, they're not just resolving them quickly, that they're resolving them effectively, that they are looking things up, that they understand what they're looking at, that they understand the threats that they are facing, and that they're doing their due diligence. And so under you know, seeing who's working on what, doing that workload monitoring, and also making sure that analysts are closing things correctly, looking at closed codes on investigations, looking at your false positive or true positive benign rates. That can give you some insight to what people are thinking as they're going through the triage process. And if you see something that seems a little unbalanced in terms of workload or in terms of the, you know, resolutions, codes and things like that, it might give you some insight as to changes you need to make or or deeper questions you need to ask to understand why there's an imbalance there. From a security leader and architect perspective, you're looking break bigger picture. Right? So you're looking to evolve your security program, expand defenses by analyzing things like technology gaps, doing retrospectives against, you know, previous incidents that you've had, feedback you've had from internal IT staff as well as your information security staff, to make sure you don't fall into the same traps, that you're not, you know, having the same problems over and over again, that you wanna plug those holes. And so understanding the the various attack vectors that have been used against you in the past and then using intelligence to understand where things are going into the future can help you, you know, stop threats before they happen. Ideally, you know, make time for bigger and better things like implementing multifactor authentication or SSL decryption or any number of larger projects. Those are gonna be some of the initiatives you're concerned with. And the things you're gonna measure to understand where you need to go and actions you need to take are gonna be different than, you know, a SOC manager who, again, is more concerned with the day to day response times, resolution times, resolution codes, and so on. From a threat hunting perspective, you're looking for obscure or rare attacks. You're looking to stop threats before they happen. Sometimes this is just looking for things that are abnormal, looking for users that may might be violating certain policies that should have a control that prevent the user from taking those actions, but for some reason that control is not working as intended or that control is not yet implemented. And sometimes those gaps, for example, allowing USB storage on a laptop could be, you know, exploited by an attacker for nefarious purposes. So, you know, finding just some of those trends and saying, you know, wow, we have a lot of USB mass storage events. I didn't realize we allowed that, or maybe we should restrict this by user role or something like that, can help you prevent some of those attacks. And so threat hunting is not just about finding APT. Of course, that's what we want to do, but, hopefully, we never find it. Although it would be nice to find because it would validate, you know, some suspicion. But the goal is really to understand trends within our environment, filter out the noise so that we can find the signal. You know, you can't know what's abnormal until you identify what is normal and you subtract that from everything, and you're left with what's abnormal. So threat hunting also involves applying a lot of suppression rules within Tejas so that you can improve your fidelity, reduce alert fatigue for your SOC, and ultimately see more interesting things. Security administrators maintain the machine. You keep the lights on. You keep things running. Data's coming into Tejas. There's agents that are deployed. You have virtual infrastructure like data collectors that are collecting, you know, data. Right? There are different levels of access required for cloud integrations, access for different users that are using Tejas, keeping the, you know, reporting, set up, functioning, and and refreshing automatically. There's a lot of moving pieces that just help you enable those teams and the the users of the different security controls and platforms that you have within your organization. And so you wanna make sure that you're measuring things that help you save time, that answer your questions faster. You know? Is my data coming in? Are alerts still being generated? Am I at my endpoint license count or not? Can we maybe reduce this because we've decommissioned, you know, a thousand devices in the last sixty days or something like that? You know, Christian talked about his CISSP. Confidentiality, integrity, and availability are that trifecta of the CISSP, and security admins are often the where the buck stops with maintaining those three, cornerstones because they're actually the ones operating the controls that, allow those things to be enforced. And then, you know, even from an MSSP or a partner perspective, even if none of none of the people on this call are partners, we have several large customers that, maintain the security controls for, various departments within a county, for example, or just a very large corporation that has several different arms. And they need to be able to measure how those arms are operating independently, provide those insights to the people who actually, own those arms of the company or those particular departments, and understand the trends that apply to each one. And so a lot of these same goals apply to partners, but or or, you know, large corporations, but at a at scale. Right? You're trying to measure workload at scale, but broken down by department or things like that. And, ultimately, reducing reducing cost and overhead is maybe even more present at at Mind because it you're just at such a large scale. So, as I talk through some of these reports, I, again, just want you to think about scale and outcomes. What are we trying to measure? Why is it important to us? And, ultimately, what questions can we ask that provide answers that help us go in a direction that matters, that's gonna make a difference for our business, for a security posture, for our customers. Right? Because different numbers mean different things to different people. Alright. So let's let's talk about getting our hands dirty here. So there's gonna be a couple key points here, but this is largely intended to be as painless as possible. Now I've built this template. There I've tested it on many different customers. I've tested it on our tenants. We'll be using it on a demo or a lab tenant today that has real looking data in it. But, obviously, there's people messing around in it a little bit creating test investigation, so it's not gonna be a perfect analogy. But, we'll kinda show you how to get it all set up. Hopefully, it seems simple enough to you as well. So there's a couple key steps. You're gonna download and install the Power BI desktop application from Microsoft. We need to use that to import a template file. That template file is on our documentation site. Now I have these links available. They're it's it's on our docs. If you go on the left sidebar, there's a Power BI for XDR, option under the APIs heading close to the bottom of that sidebar, and we have a download link there. That gets kept up to date as new releases come out so you can check back and see if there's a new version that maybe adds a new report or solves a very rare edge case that you, have found. It's it's uncommon at this point. We've fixed most of the bugs. I hope you've never fixed all the bugs. But, once once you've downloaded that file, you need to create API credentials that allow you to access your Tejas tenant using, you know, a program, a script. Right? You're you're not gonna always be there to log in and enter your credentials. We can create, a client ID and a client secret. It uses a technology called OAuth. Auth. And these O auth credentials will allow us to automatically refresh our token for Tejas and pull down the data, as we need to. Right? We don't have to log in to Tejas in the web browser repeatedly or anything like that. Once we've created those credentials, we'll open that Power BI template file, the p bit, and we will input our credentials. We will put in our tenant ID, our Tejas environment, and a couple other parameters like time ranges, and then we'll load and hopefully start viewing reports. So this is a broad, a broad set of instructions because there are a couple different ways to create API credentials. Now I there I have been told there's a better way coming that's going to be in the Tejas UI, in the coming months, but I don't wanna promise anything. So don't tell product they told you that. But, there are a couple ways, like I said, and I just got some PowerShell and Python scripts, added to our documentation site that step by step allow you to just enter, you know, your options, put in your tenant ID, put in the environment that your Tejas tenant is in, and it will create the client for you. So you don't have to download curl and add command line parameters, which sometimes can be messed up with backslashes for escaping inputs and things like that. So we're gonna use the PowerShell example today, but I wanted to at least give you the the high level overview of how the process works depending on the method that you want to use. We also do have a Python software development kit that is capable of interacting with all of our APIs. It can create API credentials and manage manage them for you, delete them, update them, and so on. But the Python SDK, you could do a whole tedious unlock session just on that. So we're not gonna dive into that today. I'll I'll show you some screenshots of how the PowerShell script works, and then, we will, we'll continue on. One thing I also wanted to show here is that we're going to be copying our access token from Tagus. This is our temporary access token that, allows us to take actions once we have logged in. In order to create a client credential for Tejas, we have to have our temporary access token, and this can be obtained through your browser's developer tools. I have a screenshot here from Google Chrome. It's also possible from Firefox and Microsoft Edge. I think it's in a very similar place under, like, more tools or developer tools or, you know, advanced or something like that. I think for Chrome, like, that you can also press f 12 to open it. You'll go to the console tab and enter this command, which will copy the access token from your local session. Once you've logged into Tejas, you'll open your your console, enter that command, and it will copy it to your clipboard. Then once you have used either the PowerShell or Python script, they work basically the exact same way. You should see almost the exact same input. It will ask you to just copy that access token to your clipboard and then press enter. It gets imported from your clipboard automatically so you don't have to paste it in, you know, at risk of adding extra characters or anything like that. It'll just copy it from your clipboard for you. Once you do that, you'll follow the prompts, adding your tenant ID, your which is available on the tenant settings subscriptions page, within Tagus. You'll add your Tagus environment, whether it's CTPX, Delta, Echo, Foxtrot, depending on which, UI you log into. You'll choose a role for your API client. I think for the Power BI queries and tenant analyst, I think it's for the tenant volume parameter, for data flows. Otherwise, I would normally recommend tenant auditor because it has permission to pretty much everything else in Tejas as as it but it also only has read only permissions. Make sure you add a descriptive name. Don't use the word test or anything. You want it to be tied back to you and and then also maybe for what its function is, whether it's for, you know, Justin Davis Power BI or Justin Davis SDK or Justin Davis investigation stats or something where if you're using that credential for a specific purpose, that it it's indicative of what that original purpose was, especially if that credential ends up finding its way to someone who shouldn't have it. You can see which credentials being used, and what its original purpose was, and that might tell you where it came from and how it got to where it it is. Once you've specified those parameters, it will output a summary for you of what it's going to use to create this credential. If everything looks good, press y and hit enter to proceed. It It will go ahead and issue that command to our APIs, and then it will output a bunch of values, including the client ID and client secret. These are the two values you're going to use to actually perform authentication to Tejas. Now these values are as good as your username and password, and you don't want to share them with anybody. So make sure you save them somewhere safe, possibly a a password vault or something of that sort. Now once you have, once you've downloaded that Power BI template file, you'll double click that p bit file and it will open up Power BI. It's going to ask you for a bunch of parameters including that client ID and client secret you just created. You'll also select your environment and your and input your tenant ID so that we know which tenant we're talking to. And then below that, there's a couple parameters for alert results, investigation results, and then a couple date ranges for specific queries. When you're initially running this, I recommend running these queries for seven day time windows just to make sure everything works, to make sure you got your authentication set up correctly, you selected the right environment and tenant ID. If everything works, you can open the template again and input these parameters, but change it for a wider date range. You won't you'll wanna give it a good amount of time. It can take a little bit to run. And I do also advise ninety days or less for alerts because there's a lot of alerts that get generated within people's tenants, and these queries can take a really long time to run. There are bigger scale solutions, through professional services. I'll talk a little bit about at the end if you really wanna max this out and and use it, extensively and do much longer term reporting. But that being said, once you've input these parameters and you click load, you'll get two pop ups. One will ask you about, accessing web content in which how you want to authenticate for it. You're gonna use anonymous. It's not actually anonymous. We are doing the OAuth authentication in Power Query, which is what populates all the data, and that's what's issuing the credentials to our APIs. But as far as Power BI on the front end is concerned, it doesn't know about that, and so it thinks that it's anonymous authentication. So you're gonna go ahead and just, you know, click connect for the anonymous. Once you do that, it'll pop up a privacy level pop up. You'll wanna go ahead and select organizational. There's three options, public, organizational, and private. Organizational is the one that we believe is the correct option and and it, allows data to be pulled, but it keeps it within your organization as well. They do have a link on privacy levels in case you're curious about what those mean. Once that template has run, you'll see, these queries start to run. They start get populated. They'll, you know, have to wait on other queries to run because some of them roll up under one base query, and then they break out for different purposes. So, as the base query populates, the child queries underneath that will populate. And then eventually, hopefully, you should see your reports pop up, and you can start browsing them and publish them. If you get any errors here, it it's very likely that it's due to credential or, like, the tenant you selected or the environment you selected, possibly the data privacy level. If it seems like it if you try it again and you double, triple check all the values that you put in as far as your credentials, tenant ID, tenant environment, and it still is giving you some errors, go ahead and submit a product support ticket. They can help you follow that through to the end. Every tenant is unique, and and there are, you know, different types of alerts, investigations, data sources with different usernames and IPs and file names, hashes, and all sorts of crazy information that there might be some rare rare edge case that can break a query. And so we wanna know about that so we can fix it for you. So go ahead and get a product support ticket submitted if you verify that your authentication parameters should be should be working. So let's go ahead and walk through. I'll just quick show a couple of these reports here. I'll show you all of these live. I'm really just flipping through the slides here so that you can see, some examples. But we'll go ahead and look at these live. Now let me go ahead and share my screen. I'm sure you haven't heard that phrase before. Alright. Hopefully, you can see it alright. I am on a four k monitor, so it might be a little small. But, yeah, there's a lot of data here. These reports are supposed to be data dense for a reason because you wanna make sure you display a lot of contextual information. That being said, here we're looking at, populated reports after the template has run. We've got sort of an executive summary page here. We're looking at the number of investigations and alerts that were returned for our time range. We're also seeing a rough approximation of our time range because this is gonna show us, you know, the oldest investigation and the newest investigation that we was in our time range, which for this was over ninety days. Same goes for the alerts. We've got some simple time charts here, some base investigation metrics about handoff, acknowledgment, and resolution time, and some endpoint license information as well to just give us a high level overview. This is what you would probably use for a cover page or, you know, just under the cover page, if you were submitting these reports to your leaders. Then looking at investigation overview, we start getting back into thinking about personas and the outcomes that we're trying to drive. If we are a SOC manager and we're concerned about workload balance and the effectiveness of our triage process, we're gonna wanna look at, you know, how many investigations are getting closed with specific statuses. Do we have some that are, you know are we disproportionately closing them as inconclusive or false positive? Is that a knowledge issue? Is that a data issue where we just don't have enough information or the data is not sanitized properly or or normalized properly? We can start asking more questions to say, why is this unbalanced, or why do we have so many informational security incident, or are my IT operations people creating things that have nothing to do with my security operations team? And you can use these filters on the top right. Simple checkbox filters if you've ever used any checkboxes before, it'll filter all of these additional options so you can drill down even further. So we can look at very specific, you know, combinations of these fields as they, are interesting to us. And this will tell us, you know, which detectors are creating the most alerts for us or investigations, I should say. Out of all of our investigations, what's the balance or proportion? We can see in informational makes up over a third of our investigations here. Now, again, keep in mind, this is a demo or a lab environment. So a lot of, you know, people are messing around creating test investigations and things like that. So if you see over a third of your investigations being informational or inconclusive, that is a really good time to ask what's causing these to be informational. Are these even related to, you know, security threats? Same goes for investigations by asset tag. If you see that a specific asset tag is way higher than the other ones, is it because those people who use those types of assets are naturally more at risk for things because they're in the field, they're plugging in USB mass storage that they find in a parking lot? Hopefully not. Or is it service desk or someone else who's trying to help users troubleshoot applications and they just happen to come across more things that are potentially malicious. Right? These this can help you understand those trends to figure out if you need to implement additional controls, add, implement user training for specific departments within your business, or train your analysts to, you know, use more data to answer questions if they aren't finding it already. Right? There's a lot of different outcomes that could come from just this one dashboard alone. Now very similarly, this report does show, investigation workload metrics, but we're focusing more on the people who are doing specific things. So we're gonna look at who's creating, acknowledging, and resolving investigations. Now for you, Secureworks a Sophos Company might be the top creator for investigations because we're we're managing things under the managed XDR service. We're escalating them to you. Where I would expect to see things differently though is on the acknowledgment and resolution side where you can see who's actually handling the the investigations that are being escalated to you. And although because of the demo environment, this is skewed, we can see that this person, Ryan, is responsible for 14% of all in investigation acknowledgment. He's also the highest resolver at 15%. And under the assignee, Ryan is also the assignee on 14% of all investigations. So this kinda tells us Ryan is doing a lot of the heavy lifting here. And we can see that even further when we start to look at the analyst performance details. But I first wanna filter this down and show you that for everything Ryan has touched, here are the distributions of the statuses, confirmed security incidents, informational, threat mitigated, authorized activity. So we can start to see what Ryan is doing. And we can look at this by resolution, not just by a contributor if we want to. So if we look at the next, report here, this gets even more granular. We can say, out of all the investigations that Justin has resolved, what codes is he using? And if we see that there's a particular person that's always closing things as as false positive, in versus, you know, threat mitigated or authorized activity or whatever, we we wanna make sure we're measuring these things accurately. I could talk for ten minutes about the difference between true positive, benign, and false positive. We don't have time for that. The important thing is that measuring and and and categorizing these things accurately will help you understand actions you need to take. False positive means that the actual indicator that fired was not correct to fire. It mismatched on something. Whereas true positive benign means my indicator found what it was trying to find. My detector found the thing that it's looking for. It's just that in this case, it was authorized or in this case, it was mitigated because it was blocked or something like that. That's not a true that's not a false positive. We found what we wanted to find. It just wasn't bad in this context. And the outcome means we don't need to tune necessarily. We don't need to tune that detector. If it's a false positive, it means that detector found something it shouldn't have found. It, you know, was too broad or something like that, and that needs to be filtered down. True positive benign doesn't require that same outcome. So we wanna make sure we're measuring benign versus false positive that we're, you know, understanding the difference between informational and inconclusive because the actions we're gonna take based on imbalance one way or another are gonna be different. This also helps us understand, again, who's doing the lion's share of the work. If one person is doing too much of this work and and that might be the case if you have a very small team and it's just one or two people's jobs to do a lot of the incident response. But if you have a larger team and you can still see that 75% of the, you know, acknowledgment and and resolution is being done by one person, that gives you a moment to ask, what are those other people working on? Are they working on projects? Are they working on really advanced incidents where they're not it's not a numbers game for them. It's they're, you know, they're spending a week triaging one hard thing. And that might be very well be the case, and you can start to dive into those questions and answer them using reports like this. But, again, those are the types of questions you should be asking to make sure that work is being distributed fairly, that you have enough people for your organization, and that the needs that you have and the threats that you're facing. Looking at a more threat hunting perspective or someone who's really starting to get into the the alert trends, we can look at this alert overview. And now I filtered out suppressed alerts because if we include the suppressed alerts, we can see that our accounts just get crushed. And and almost 80% of all the alerts in in our ninety day time range are suppressed. Now that's because we've done a lot of the work to do that for this environment. But once you filter that out, as I as I said, you have to remove the noise from everything and you're left with the signal. Right? So as we find these trends and we understand which detectors are firing most often, we can start to dig into those and figure out which entities are causing these to fire most often. Is it certain machines from our a, b, c, d department? Is it a specific user that's generating all these suspicious travel alerts? Is it a set of IPs or IP range that's causing this to happen? Well, lucky for you, there is an alert entity browser report that allows you to answer exactly those types of questions. So, again, I filtered out suppressed, but let's re add those back in here. Now if we didn't have any of these suppressions implemented, you would hopefully see this and say, wow. Okay. Yeah. There's a set of IP ranges here that are clearly responsible for a ton of my alerts. And, hey, those are actually my DMZ scanner range, my vulnerability scanners. Let's go implement a suppression rule for those. Well, as soon as we get rid of those, the data really starts to level out, and we have a little more to look at. Now there could even be a few more vulnerability scanners in here. I seen some similar IP ranges in the one seven two sixteen range, but there are some external IP ranges. And this had even been filtered down by IP. If we get rid of that, we can see that there's very specific hosts or sensor IDs that are responsible for certain things. This is a I forgot what type of server this is in the lab. But, again, we can see that this server is responsible for a lot of the alerts that are firing and which ones are low, medium, high, and critical. So this allows us to understand those trends to filter things out and ultimately improve our fidelity, improve our signal to noise ratio, and find the needle in the haystack. Right? I can use any number of idioms to describe this, but the goal is to if we're hunting for threats, we need to remove all this noise or we're never gonna find it. Once you remove enough noise and you start drilling down, you might just randomly pick. Let's look at random file hashes. Wow. That's crazy. This one is clearly almost double the next highest as far as the, you know, the contribution to alerts. I wonder what this file hash is. So then you could start to go into Tejas and look for alerts related to that. Now in this case, I can click on that entity, and I can even see alerts related to that entity right in this table here. So this tells me, hey. There this is an alert pertaining to this hash. This could be, targeted, a pen test I did. This could be, a threat hunt that was being done, maybe a new piece of software that was deployed that had a signature that that triggered something. Right? If we look at a different file hash here, we can see, okay. Yep. This one is mimikatz, and this triggered a bunch of alerts within my environment. We can see even that some did not get closed. So this might tell us we need to go back into Tejas, do a search for all alerts from this file hash, and resolve them if we have indeed resolved those alerts. It seems like we resolved some in on the sixteenth, and then we didn't resolve some in between, and then we resolved some on the thirtieth. Could be from the same activity, so we could potentially bulk resolve these. But good to make sure that there is an investigation open for this and that we follow that our our documented, you know, investigation process end to end that we're doing our due diligence there. So from a threat hunting perspective, this really helps, but it also just helps tune the noise out and reduce alert fatigue for the SOC. I really like this data source alert insights page because it tells us what our data is doing for us. Now remember how I talked about the suppressed alerts, just crushing our graph. Well, we can see here that Corelight is, really generating tons and tons of alerts here. This is because it's it's an, IDS, IPS. It's seeing tons of traffic on our network, and it's got a lot of different, signatures and patterns that it's matching to generate these alerts. If we get rid of that, we actually start to to get a little more balance again to see the differences here. Now what this is showing us is the sensor types that are contributing to a specific type of detector. Tejas watch list encompasses a lot of different data types because we have thousands of indicators in there. And that's so it's a a lot of data sources contribute to that. The same principle happens on this bottom bar chart, but instead, we're looking at, detectors by data source. So we can see that this one particular data source like the Tatus agent is contributing to, I don't know, over half a dozen detectors here. We can see that Corelight is contributing to over half a dozen detectors here. Whereas there are others that only contribute to, say, one type of detector because they're a very specialized data source. Maybe there's more use we can make of those things. Maybe there's opportunities for custom alerts. Right? But this really helps me understand what my data is doing for me, the types of alerts that it's it's generating, especially when we wanna look at the, you know, the true positive, false positive rates. That's gonna make a huge difference, in understanding the if this data source is generating a lot of noise or it's actually telling me about a lot of true positives. And, again, good opportunities for suppression here as well. Alerts over time. This is sort of a beta report, but I really like it because I love time charts. People are very visual creatures, and this tells me that something very significant happened on November 9. Maybe we deployed a new piece of software. It triggered a bunch of alerts on our EDR, due to, you know, loose signatures or something like that. We had to roll back machines, maybe redeploy a few things that generated tons of events, which maybe generated a few more alerts. These things can sort of snowball. And so this gives me pause and to say, what happened on this day? Did we address all the alerts that happened on this day? Let's go take a deeper look. I just wanna make sure that we we took care of everything that happened because clearly a lot of things happened on this day. So I really like this type of view. And in the spirit of time charts, we can see in this data volume by host chart that we have spikes that happen pretty much every seven days is what it looks like. Maybe there's a scheduled backup task. Maybe there's vulnerability scans. Something that's generating a lot of data every so often. Easy to see that. We can also see the typical ebbs and flows of data sources, feeding Tejas. We can even see when specific, you know, things broke, if our data feeds, you know, into Tejas broke. This is a lab environment, so things are not a hun 100%, live or or rock solid all the time. So this tells us that, hey, some on a couple of these days, maybe our data collectors and and cloud infrastructure broke or something like that. And that can help you keep tabs on things as well. If you onboarded a bunch of new data sources, it will be very apparent when you see that graph just go right up to the sky. So I really love this as well. Again, what's my data doing for me? How much of it do I have? Which data sources or sensor types are contributing the largest data volume? This can maybe, be a tuning opportunity to reduce your data usage with Integris to make room for additional data sources. I've seen customers that had a a a firewall that was generating 10,000 error messages per second. As soon as they went and resolved that with a simple policy update, it dropped their data volume by, like, two thirds from their firewalls. That's a rare case, but it can happen, and those are things that will be extremely evident for dashboards next steps. Go play with this. It's hopefully, you've seen it's pretty easy to set up, and you can really start to understand what's going on in your environment. And I think it'll it'll bring up more questions than answers, and that's a good thing. Also know that these are just examples. You can move these around. You can create new reports. All the queries that are populating these are under the hood in Power BI, and you can create new queries using the fields that have already been extracted and visualize them across different dimensions. So use that, either in conjunction with things you're currently using Power BI for or start to try and understand is this information we wanna work into our existing reporting process, and talk to your leaders about that. What are you currently using? What types of outcomes are you trying to drive? And I talked about doing things at scale. Professional services can build a very custom reporting setup for you that can do this across millions of alerts over a year's worth of data. Right? You can get even deeper using Python data science and things like that. So if you're interested in doing this at a larger scale, we have a page on our documentation site that talks about their custom reporting service. So talk to your account team if you're interested. Feel free to check that out in the docs. And, thank you very much for your time today. Appreciate it. Back to Christian. Christian, I think you're muted. Thank you for that. Yep. Always, need to check that mute button. So thank you, Justin. We got a couple questions here coming in. They're looking like they're gonna be for you, so I'll keep you around for a little bit longer. But before, before I get into that, I just wanted to, highlight a few things. So before q and a, again, next, Tejas Unlocked. Final one for the year is gonna be December 19. And, again, we talked a little bit about the ISE squared, CISSP, credits and stuff. There'll be a link, after this that you can complete, to make sure you get credit for that. You'll have thirty days, so make sure you stay on top of that. We wanna get that, registered for you. And, we've also got a a little poll here. As always, we like to get some feedback from you folks on what you thought about today's session. Again, zero not being satisfied at all, all the way to the far right where we like to be extremely satisfied or anywhere that you feel makes sense. Your input, your feedback really, really matters, and it really helps shape where we take Tejas Unlocked. So please, if you've got the time, we would definitely love to hear from you. Now in the past, I've, talked about a number of ways to get involved, and we've got a new way here for you to get involved. Now I know a lot of security folks say, don't look at these QR codes. That is true. One's coming from an untrusted source. And I like to hope that you feel that we're an an that we are a trusted source. And, so we've got a couple QR codes here that can help get you engaged with us to, give some valuable feedback and insight in your Tejas experience and your Tejas journey. So, without further ado, we're gonna get into the q and a of the day. Justin, question here. Here's here it goes. What is the best place to start here? Until today, I really didn't know what Power BI was. I heard about it, but I didn't know what it was or how to use it. Should I just go get Power BI and start trying the stuff that you showed us today? The template itself, or is there a more efficient path to learn this? It was a bit Yeah. Yeah. I mean, I learned Power BI over the course of a year and a half to really build this, and I started with basically no knowledge other than knowing that Power BI was a thing. You can download the desktop application for free. You can download our template file for free. And if you are a Tejas customer, you can use our APIs for free. There's no additional charge. So I would definitely recommend go and getting the Power BI application, get it installed, go download that template, create your credentials, and start pulling data. Even over a thirty day window, I think this data is incredibly infectious, and it will it will make you think about how you do your security operations and and understand what your teams are doing, immediately. Data is very powerful. So definitely just, start plugging away with this. Awesome. So I I think you may have answered the second question, from this one individual. But just in case, I wanna make sure this individual's question is heard. Question is wondering, is this available to all of us? So I'm so I'm thinking from a Tejas perspective, but but maybe Power BI as well. So if you could go into that. Is this something that I need to pay for to get access to? So again, I'm I'm thinking they're they're talking about Tejas, but maybe if you could sort of touch on Microsoft and and Tejas. Yep. From a Tejas side, there is no additional cost at all. If you are a Tejas user, you can use this free of charge. On the Microsoft side, I do believe the Power BI desktop application is free. You don't have to be a Power BI subscriber. You don't need, like, an e five license or anything. I think if you wanna use Power BI web and start publishing your reports and sharing them within your organization, you do need a a an additional license. I believe it is included automatically for all users that have an e five license associated with them. I know you can purchase additional licenses just for Power BI, and I think it might be included in potentially other licensed tiers as well. I don't wanna speak definitively on that. But, as far as using these reports, I mean, you can export to PDF. You can take screenshots. There's nothing stopping you from doing that, within the desktop application completely free. So for all intents and purposes, other than sharing it to the web, this is all totally free of charge. Awesome. Awesome. I think we might do one more question. We're just right at time, but we'll just do this last question really quickly. The dashboards you showed in Power BI, the ones with all those drop down boxes, the sensor types, the analyst performance and such, are they essentially data objects coming from the template that you showed? Those are populated dynamically from the tenant that you plug in. So whatever integrations and sensor types you have within your tenant, that's gonna be what shows up in those boxes. For investigations, like, Acknowledger and Resolver and stuff, those are based on your users that are actually interacting with investigations. So it's all totally dynamic. Awesome. Awesome. Well, I think that's it. No more time for any questions, folks. We have a record of them. We're going to take that information back, and we'll make sure you're either contacted by, one of us from the panel today, from the session today, or from your account team. So thank you very much, Justin. Thank you every very much for everybody who showed up today, And, we look forward to seeing you again on the next Tejas Unlocked. Thank you.