Documentation
Start typing to search…
  1. Quick Start

Review Findings

  1. The Findings Summary is an overview of the observed signals, context, and analysis conducted by the Nebulock agents that provides you with an assessment of the activity. While the Finding remains open and under investigation, this summary will be updated as new signals are discovered on the host. Just below the Summary is a description indicating the Likelihood the observed activity is malicious, based on the data in the Summary.
  2. Signals are the catalysts that begin an agentic analysis process. These signals come from Nebulock written rules, or rules you have written in your portal. A Finding can have one or more signals, and these signals are displayed with related context. E.g. - EDR data will include parent processes, command lines, and file paths.

    1. To see this contextual data, click on a specific Signal to view details around connected events. This will also provide a query to run in your EDR to find these events.

    2. For a chronological view of the Signals, expand the Signal Timeline. This will show each signal on a graph, with tick marks indicating when the signal was triggered. This view provides visual understanding of signal data, including number of times it triggered and its cadence.

    3. The Agent Thought Process is a transparent view into how Nebulock agents problem solve. The thought process provides a step-by-step look into actions taken by the agents as they reason across the Finding signals and context and come to a determination. This information allows for transparency and trust in the Nebulock platform.

  3. Status and Resolution

    1. Findings Status is used to determine the current state of the finding as it moves through a workflow. OPEN → IN PROGRESS → CLOSED

    2. Findings Resolution is used to identify the outcome of the Finding.

      1. Business Justified: expected activity due to business needs
      2. False Positive: activity that is not accurately described by the signal or summary
      3. Anomalous Safe: activity that is deemed benign, though not tied to any specific business justification
      4. Testing Activity: indicates red team activity or testing of the Nebulock platform
      5. Not Reproducible: anomalous activity that cannot be duplicated and therefore deemed neither safe nor malicious
      6. Fixes Implemented: activity that has been addressed through security or policy actions

    3. It is important to close out a Finding with the proper status and resolution when you have finished your review. The Nebulock agent uses these resolutions to arbitrage new signals, looking across similar Findings to determine how to proceed. Your input via the resolution ensure the agent has accurate, up to date context needed for successful arbitration.

Updated about 2 months ago