Investigating lateral movement alertsΒΆ

Plixer Scrutinizer uses multiple lateral movement detection techniques, each of which corresponds to a separate Alarm Policy. This provides security teams with additional context on which to base their response strategies.

Workflow

After receiving a lateral movement alert in Plixer Scrutinizer (either directly from or via SIEM), investigate the event:

  1. Navigate to Monitor > Alarm Monitor in the web interface and search for Lateral Movement (FA), Lateral Movement Attempt (FA), or Lateral Movement Behavior (ML) violations.

  2. Click on an Alarm Policy to open the summary view and review the activity timeline and hosts involved.

  3. Drill into an event artifact to view a summary of details for a violation associated with a specific host.

  4. To further investigate the activity of the host, click on the icon next to its IP address or hostname, and select an automatically filtered report to run.

Hint

For additional context and/or details related to how and why the host was compromised, review all alarms leading up to the lateral movement violation.