Sevco Security Shorts: Device Details Working View

These last few weeks as you’ve seen, we’ve been releasing a series of videos from Chief Strategy Officer, Brian Contos, highlighting how Sevco’s 4D Asset Intelligence platform works, and how organizations can use it to better understand their IT environment. We call them Sevco Security Shorts. 

Now, we’re posting this transcripts of this series for those that would prefer to read the content.

Hey everybody, we’re going to talk about the device details working view. This view is really neat. On the horizontal access, we see specific devices. On the vertical, we see the sources via API for those devices that’s being pulled in, in near real time.

Here we have Automox, CrowdStrike, Lansweeper.

Now the colors, they’re going to go ahead and signify the last time that we’ve seen that device per that source so, in CrowdStrike, we saw this one 2 minutes ago. If we come down here, we saw this Lansweeper 23 hours ago. Below that, it’s four months ago, so maybe that’s a device that’s experiencing some problems. We need to take a look. Maybe we’re de-provisioning it so we’re expecting this but, if we’re not, it’s something we can look into.

Now, this view in its entirety, this 586 views, is being pulled from this source and filter mechanism on the left.

Here we have a Venn diagram that we’ve talked about before, with Microsoft Active Directory in this example, with CrowdStrike, and Automox. Collectively, they share 586 devices in common.

If I just want to click on CrowdStrike or CrowdStrike is the only thing showing up, there’s only one device there. Then, I can also filter here by OS platforms, releases, MAC, regions, so on and so forth. I’ve just selected Windows, Windows Server, and Linux, to make things easy.

Now, if I want to look at a specific device and drill down I’m going to use a little cheat here. Because I haven’t talked about queries before, this really deserves its own dedicated video but, for now, I’m just going to do a quick search on a host, TTN, JCF. Again, we’re going to come back to this in another video.

I pull up, via the query, one particular device. Again, we see the device information, we see the sources that are creating this particular device and the last time that this device has shown up there, but now I say “Show Details”.

This is really cool because each source, Malwarebytes versus CrowdStrike versus Microsoft Active Directory is going to show us different information and different attributes, and that makes sense, right, because security devices, versus ops, config, risk management, patching, they’re all going to have different attributes.

What’s really nice is in this left-hand column every single attribute from these four disparate devices is collectively pulled into here and put on display.

I also like this timeline feature. I can go ahead and pick a specific timeline, let’s say February 15th. There’s 17 events, a lot of events here.

We’ll click on this one event and we’ll go to the 2:00 PM to 3:00 PM time slice and, with that, something looks like it happened at 2:28 so let’s drill into that and we see a lot of interesting things here.

The first is the MAC address changed so maybe we move from wire to wireless or vice versa and, because that changed, the manufacturers of those MACs changed so we went from Dell to Intel. We see that the CrowdStrike agent was upgraded from 6.49 to 6.52 and, along with that MAC address change over here, we move from a .206 to a .186 IP address.

Now, what’s great about this is you get this nice normalized, aggregated and correlated view from multiple sources for our single device.

Interested in seeing how Sevco can give you this kind of visibility in your own IT environment? Click here to schedule a personalized 1:1 demo with our team.


Share This Post: