跳至正文
KYRA MDR KYRA MDR Docs

Analyst Workbench

此内容尚未提供中文翻译。

The Analyst Workbench is the primary workspace for SOC analysts performing real-time triage, investigation, and response. It combines alert queues, threat intelligence enrichment, MITRE ATT&CK kill-chain visualization, response actions, and investigation tools in a single split-pane view.

Layout

The workbench uses a split-pane layout:

PaneContent
Top (60%)Case detail — alert/incident summary, timeline, raw events, MITRE mapping, AI analysis
Bottom (40%)Investigation tools — threat intel, response actions, log search, evidence, notes

A queue sidebar on the left shows all open alerts/incidents awaiting triage. Click any item to load it as the active case.

Triage Workflow

Step 1: Pick a Case

Open cases appear in the left queue sorted by severity (critical first). Each item shows:

  • 8-character case ID
  • Alert title (2 lines max)
  • Detection source and severity badge
  • Assignee (if taken)

Click a case to load its detail in the main pane.

Step 2: Review the Alert Summary

The top card shows:

  • Description — what was detected
  • Source IP / Destination — attacker and target
  • Host — affected endpoint
  • GeoIP — geolocation of external IPs
  • MITRE ATT&CK — mapped tactic and technique
  • Detection source — which rule or AI model triggered it

Step 3: Analyze with MITRE Kill-Chain

The kill-chain strip displays all 14 MITRE ATT&CK tactics as pills:

Recon → Resource Dev → Initial Access → Execution → Persistence → Priv Esc →
Defense Evasion → Credential Access → Discovery → Lateral Movement →
Collection → C&C → Exfiltration → Impact

Active tactics for the current case are highlighted. This shows where the attacker is in the kill-chain and what to expect next.

Step 4: Enrich with Threat Intelligence

The Threat Intel tab auto-enriches IOCs extracted from the alert:

  • IP addresses are looked up against threat feeds (AbuseIPDB, VirusTotal)
  • Domains are checked for reputation and known malware associations
  • File hashes are scanned against malware databases

Results show risk scores, abuse confidence, country of origin, and ISP information.

Step 5: Decide and Act

Based on your analysis, choose a verdict:

ActionKeyboardDescription
True Positive1Confirmed threat — triggers response workflow
False Positive2Benign activity — closes with FP classification
Escalate3Needs senior analyst review — creates incident

Response Actions

When a threat is confirmed, take containment actions directly from the workbench:

ActionDescriptionRequires
Isolate HostNetwork-isolate a compromised endpointNDR
Block IPBlock a malicious IP at the perimeterNDR
Disable AccountDisable a compromised user account
Kill ProcessTerminate a malicious process on an endpointEDR
Scan EndpointTrigger an on-demand endpoint scanEDR
Collect ForensicsCollect forensic artifacts from an endpointEDR

Each action has a searchable input field. Type to search for the target (IP, hostname, username, process name) and select from suggestions.

Actions marked EDR or NDR require the corresponding license.

Investigation Tools

Search logs directly from the workbench without leaving the page:

  • IOC chips — click extracted IOCs (IPs, domains, hashes) to instantly search logs
  • Full text search — type any query to search across all log sources
  • Results show in-context with the investigation

Evidence Collection

Attach evidence to the current case:

  • Capture screenshots, log excerpts, or configuration snapshots
  • Evidence is linked to the alert/incident for audit trail
  • Available for both alerts and incidents

Investigation Notes

Pre-built templates for common investigation scenarios:

TemplateUse Case
TriageInitial alert assessment and priority classification
Lateral MovementTracking attacker movement between hosts
Credential AbuseInvestigating compromised accounts and tokens
MalwareAnalyzing malware artifacts and indicators
Data ExfiltrationIdentifying data theft and unauthorized transfers

Select a template to pre-populate the notes section with structured investigation fields.

Raw Event Viewer

Expand the Raw Event section to see the full JSON payload of the triggering event. Useful for:

  • Verifying exact field values
  • Identifying additional IOCs not shown in the summary
  • Copying event data for external analysis

Keyboard Shortcuts

The workbench supports keyboard-driven workflows for fast triage:

KeyAction
jNext case in queue
kPrevious case in queue
1Verdict: True Positive
2Verdict: False Positive
3Verdict: Escalate
SpaceSelect/deselect for bulk triage
aOpen AI analysis
lFocus log search

Bulk Triage

For high-volume alert queues, use bulk triage to process multiple alerts at once:

  1. Press Space or click the checkbox on each alert you want to process
  2. A bulk action bar appears at the bottom showing the count
  3. Click True Positive or False Positive to apply the verdict to all selected alerts

This is useful during shift handoff or after a rule tuning session generates many similar alerts.

Analyst Metrics

A metrics strip at the top of the queue shows real-time SOC performance:

MetricDescription
Today’s TriagedNumber of alerts triaged in the current shift
MTTDMean Time to Detect — average time from event to alert
FP RateFalse positive rate for the current period
Open CriticalNumber of unresolved critical alerts

Case Lifecycle

Take Ownership

Click Take Ownership to assign the case to yourself. This:

  • Sets you as the assigned analyst
  • Starts the SLA response timer
  • Shows your name on the queue item

Escalation

Click Escalate to:

  • Create an incident from an alert (if not already an incident)
  • Assign to a senior analyst or incident commander
  • Preserve all investigation notes and evidence

Close Case

Click Close Case to resolve with:

  • Resolution summary (required)
  • Classification (True Positive, False Positive, Benign)
  • Lessons learned (optional)

Common Investigation Scenarios

Scenario 1: Brute Force Attack

  1. Alert appears: Multiple Failed Login Attempts from 203.0.113.45
  2. Review summary — 50+ failed logins against admin account in 5 minutes
  3. Check MITRE — tactic: Credential Access, technique: T1110 Brute Force
  4. Enrich IP — threat intel shows IP from known attack infrastructure (abuse score: 95%)
  5. Search logs — click the IP chip → see all access attempts, check if any succeeded
  6. Respond — Block IP at perimeter, disable the targeted account temporarily
  7. Verdict — True Positive, close with note: “Blocked source IP, rotated admin credentials”

Scenario 2: Suspicious Outbound Connection

  1. Alert appears: Unusual Outbound Traffic to Known C2 Domain
  2. Review summary — internal host connecting to evil-c2.example.com on port 443
  3. Check MITRE — tactic: Command and Control, technique: T1071 Application Layer Protocol
  4. Enrich domain — VirusTotal flags domain with 12/90 detections
  5. Search logs — find the process that initiated the connection, check for persistence mechanisms
  6. Respond — Isolate host, block domain at DNS, collect forensics from endpoint
  7. Escalate — create incident for full investigation of potential compromise

Scenario 3: Lateral Movement Detection

  1. Alert appears: SMB/RDP Activity Between Internal Hosts
  2. Review summary — workstation connecting to file server via SMB with admin credentials
  3. Check MITRE — tactic: Lateral Movement, technique: T1021 Remote Services
  4. Review timeline — check if there was a prior initial access alert for this host
  5. Search logs — look for authentication events, check if the admin account was compromised
  6. Respond — disable the admin account, isolate both hosts
  7. Use template — select “Lateral Movement” investigation template to document the attack path

Best Practices

  • Triage by severity — always start with critical alerts, work down to low
  • Use keyboard shortcutsj/k navigation + 1/2/3 verdicts dramatically speed up triage
  • Enrich before deciding — always check threat intel before closing as false positive
  • Document everything — use investigation notes templates, attach evidence
  • Bulk triage similar alerts — when a noisy rule fires, select all similar alerts and batch-process
  • Check the kill-chain — if you see Initial Access, look for follow-up tactics like Execution or Persistence
  • Escalate when unsure — it’s better to escalate a false alarm than miss a real threat

Access Requirements

The Analyst Workbench requires the Respond (MDR) tier or above.