System Guide


  • Asset Group – a group of devices on an organization network, such as computers, whose security is managed by empow using security applications
  • Classification Center – empow cloud service that enriches i-SIEM
  • DPI – Deep Packet Inspection, inspection of the data part of network packets in addition to the header section, by network devices to identify malware
  • Device – any network component that communicates with i-SIEM
  • Flexible Plugin – a custom parser, with definitions to parse specific device log data and extract information for a security service; can be used as a security device
  • NTA – Network Traffic Analytics, analysis of network traffic to identify abnormal trends and patterns
  • SoA – Score of Anomaly, used in NTA and UEBA engines to express the strength of an anomaly
  • Tactic – Stage in an attack sequence conducted by an attacker to achieve a goal
  • Technique – A method used by attackers to achieve a goal in their attack process
  • Tenant – an entity representing multiple assets in the protected organization
  • UEBA – User and Entity Behavioral Analytics – analysis of user or entity-specific event information, such as access logs, to identify anomalous behavior

Entity Confidence Score

The confidence level given to an entity is calculated based on weighted number of evidences that were correlated together, due to logical causes and effect attack sequences.

The possible confidence levels are:
High – High
Medium – Medium
Low – Low
Info – info

Each cause and effect correlation sequence gets a weighted score according to the correlation strength. The more immediate the attack sequence, the higher the confidence score.

In the case of a spearphishing link technique (event 1) on a victim, followed by evidence of a malicious link user execution technique (event 2) on the same victim, then those two evidences will get strong correlation, as this sequence is an immediate step in terms of an attack scenario.

In the case of a spearphishing attachment technique (event 1) on a victim, followed by a collection of data from local system technique (event 4) performed by the previous evidence victim, then, although this sequence makes sense, there are a few step gaps. Usually, we would expect to see execution of the malicious attachment delivered via email and maybe even a credential access technique when trying to access the shared repository.


In the examples above, the confidence score will be higher in the first case than in the second case.

Entity Risk Score

The risk level given to an entity is calculated based on the techniques detected on the entity, while considering per technique the entity role, either victim or performer and the action performed by the reporting data source.

The possible Risk levels are:
High – High
Medium – Medium
Low – Low

Below is a list of tactics and techniques, each with its associated risk levels:

*Note: the risk for technique that is not mentioned below will be determined according to its tactic.

Name  Type  Victim Risk  Performer Risk 
Abuse Elevation Control Mechanism  Technique  Medium Medium
Access Token Manipulation  Technique  Medium Medium
BITS Jobs  Technique  Medium Medium
Boot or Logon Autostart Execution  Technique  Medium High
Boot or Logon Initialization Scripts  Technique  Medium High
Brute Force  Technique  Medium Medium
Create or Modify System Process  Technique  Medium High
Credential Dumping  Technique  Medium Medium
Data Encrypted for Impact  Technique  High High
Defacement  Technique  High High
Disabling Security Tools  Technique  Medium Medium
Drive-by Compromise  Technique  Medium Medium
Endpoint Denial of Service  Technique  High High
Event Triggered Execution  Technique  Medium Medium
File and Directory Permissions Modification  Technique  Medium Medium
Group Policy Modification  Technique  Medium Medium
Hijack Execution Flow  Technique  Medium High
Input capture  Technique  High High
Internal Spearphishing  Technique  High High
Man-in-the-Middle  Technique  Low Low
Modify Authentication Process  Technique  Low Low
Network Denial of Service  Technique  High High
Network Sniffing  Technique  Low Low
New Service  Technique  Medium Medium
Policy Violation  Technique  Low Low
Pre-OS Boot  Technique  Medium Medium
Process Injection  Technique  Medium Medium
Redundant Access  Technique  Medium Medium
Registry Run Keys / Startup Folder  Technique  Medium Medium
Remote Access Tools  Technique  High High
Scheduled Task/Job  Technique  High High
Scripting  Technique  Medium Medium
Sudo  Technique  Medium Medium
Suspicious Connectivity  Technique  Low Low
Traffic Signaling  Technique  Medium Medium
Use Alternate Authentication Material  Technique  Medium Medium
Valid Accounts  Technique  High Medium
Virtualization/Sandbox Evasion  Technique  Medium Medium
Web Shell  Technique  High High
Windows Management Instrumentation  Technique  Medium High
Collection  Tactic  High High
Command and Control  Tactic  Medium Medium
Credential Access  Tactic  Low Low
Defense Evasion  Tactic  Medium Medium
Discovery  Tactic  Low Low
Execution  Tactic  High High
Exfiltration  Tactic  High High
Impact  Tactic  Medium High
Initial Access  Tactic  Medium Medium
Lateral Movement  Tactic  Medium High
Persistence  Tactic  Medium High
Privilege Escalation  Tactic  Medium Medium

Device Response Action

An Observer Action is a normalized empow property that considers the action performed by the data source the event was received from. The data source can be, for example, a firewall, WAF or URL filtering that denies or allows traffic, email security that blocked or quarantined messages or an EDR that terminates a process or deletes a file.
empow categorizes these into Mitigated / No Action actions. A Mitigated action is considered any step taken by the observer that actually mitigated the attack and lowered the risk of the detected threat. No Action is exactly the opposite – the observer was only alerted on the event, and no further action was applied.

Here is a list of actions that are included in each category:

  • Mitigated – deny, block, process terminated, quarantine, delete, email removed, file deleted
  • No Action – allow, permit, alert, none


As SOC analysts, we aspire to classify all our organizations’ files according to the probability of their being malicious. Since the number of files is usually high and rising each day, we should focus our efforts on those that are indicated to be suspicious.
The classification process should be as automated and clear as possible. empow uses reputation engines to determine file reputation by sending their hash to a variety of reputation engines.
The reputation engines’ response has the following classification options to choose from malicious, benign, and unknown.
Malicious – The file has been previously inspected and discovered to be malicious. Usually, an additional description will be appended. Benign – The file has been previously inspected and found to be trusted. Unknown – The file was not inspected yet and its reputation is not determined.
In several cases, if the file was determined to be malicious, its reputation was updated just several hours after it was declared as ‘unknown’. It is advised to check the status regularly.

In several cases, if the file was determined to be malicious, its reputation was updated just several hours after it was declared as ‘unknown’. It is advised to check the status regularly.

At empow, we allow the SOC analyst to classify files into 4 categories:

Malicious The file is confirmed malicious.
It is advised to take immediate actions to contain the threat by excluding it from running or maintain its spread through the network. These actions can be accomplished by adding its hash to the different cyber defense tools blacklists and to the signature database installed in the organization.
Suspicious Similar to ‘unknown’ with the slight difference that the file was involved in a sequence of suspicious events.
Benign The file is confirmed trusted.
It is up to the analyst’s judgment whether to prevent additional false-positive results by adding its hash to the different cyber defense tools’ whitelists installed in the organization.
Unknown The file is yet to be confirmed malicious or trusted. It is advised to keep following its reputation occasionally.

In this case, empow advises on taking the following actions:

  • Inspect the file using advanced inspection tools to determine whether it is malicious.
  • Consider limiting the file impact through spreading or execution by adding its hash to the blacklist.