Analyzing Processes in Wazuh Alerts with Advanced Risk Scoring from Global Data Using CoPilot

4 min readJun 12, 2024

In the ever-evolving world of cybersecurity, staying ahead of potential threats requires constant vigilance and the right tools. In a recent video, we introduced the latest feature added to Copilot: the Process Analysis Tool. This tool is designed to provide Security Operations Center (SOC) analysts with deeper insights into processes flagged by security alerts, such as those generated by Wazuh. In this blog post, we will explore the functionality and benefits of this new feature, demonstrating how it can enhance the efficiency and effectiveness of SOC analysts.

Understanding the Process Analysis Feature

The Process Analysis Tool is a significant addition to Copilot, aimed at helping SOC analysts understand and investigate processes that trigger security alerts. For instance, when encountering an alert related to a process like certutil.exe, analysts can use this feature to gain insights into its typical behavior, associated network traffic, and any known instances of malware abuse. This detailed information allows analysts to make informed decisions about potential threats.

To illustrate the functionality of this tool, the video demonstrates a scenario involving an attack simulator. A PowerShell script is run on a Windows endpoint, triggering various Wazuh alerts. Among these alerts is one for certutil.exe, which is used to decode a binary file. The Process Analysis Tool enables the analyst to delve into the specifics of certutil.exe, uncovering its legitimate uses and instances where it has been exploited by malware.

Key Features and Insights

The Process Analysis Tool offers several key features that make it invaluable for SOC analysts:

Process Overview: The tool provides a comprehensive overview of the process in question. For example, certutil.exe is identified as a utility used to dump and display Certificate Authority (CA) configurations. This baseline knowledge helps analysts understand the process's legitimate functions.

Malware Association: The tool highlights any known instances of the process being abused by malware. In the case of certutil.exe, it has been used to download, encode, and decode files, often to circumvent detection mechanisms. This information is crucial for identifying potential security threats.

Network Traffic Analysis: Analysts can view network connections associated with the process. For certutil.exe, the tool reveals its network attempts over ports 443 and 80, consistent with its capability to download files.

Parent Process Identification: The tool identifies parent processes that typically invoke the process in question. For certutil.exe, PowerShell is a common parent process, as demonstrated in the attack simulation.

File Path Information: The tool provides details on where the process is usually installed, such as in the System32 directory for certutil.exe. This helps analysts verify the legitimacy of the process's location on the system.

Practical Application and Benefits

The Process Analysis Tool’s practical application is evident in the video demonstration. By using this tool, the analyst quickly gains a deep understanding of certutil.exe and its behavior during the simulated attack. This level of insight allows for more accurate threat assessment and quicker response times. Additionally, the tool's integration with other Copilot features, such as the SOC alerts tab and Iris interface, streamlines the investigative process.

Conclusion

The addition of the Process Analysis Tool to Copilot represents a significant advancement in cybersecurity threat analysis. By providing SOC analysts with detailed information about processes flagged by security alerts, this tool enhances their ability to identify and respond to potential threats effectively. Whether it’s understanding the legitimate functions of a process or uncovering its association with malware, the Process Analysis Tool equips analysts with the knowledge they need to protect their systems. As cybersecurity threats continue to evolve, tools like this are essential for staying one step ahead.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/