Reveal
Reveal is a Sekoia add-on module that adds asset intelligence to your investigation workflows. It enriches the asset context panel with vulnerability data, endpoint hygiene, behavioral signals, and attack path analysis.
Use Reveal to answer questions that alerts alone cannot answer:
- What is this asset, and is it vulnerable or poorly protected?
- What activity has occurred around it recently?
- Which other assets could it put at risk?
How Reveal works
Reveal builds asset context from multiple sources and surfaces it where analysts already work.
| Source | What it provides |
|---|---|
| Passive Asset Discovery | Creates and lightly enriches assets from identifiers observed in supported telemetry. Starts automatically when telemetry is ingested. |
| Event data | Powers timelines, Points of Interest, Attack Path Visualization, and alert and case context. |
| Asset Connectors | Creates and deeply enriches assets with structured data from identity providers, endpoint tools, vulnerability scanners, and asset inventories. |
| Sekoia Endpoint Agent | Creates and enriches endpoint assets with direct endpoint visibility and hygiene signals. |
You do not need all four sources to start. Each source unlocks additional capabilities.
Key capabilities
Asset context panel
The asset context panel is the primary investigation surface. Reveal extends it with vulnerability data, hygiene status, and behavioral signals.
Attack Path Visualization
Attack Path Visualization maps relationships between assets. Use it to identify lateral movement paths, intermediary assets, and connected security activity.
Points of Interest
Points of Interest surface behavioral anomalies on assets, such as unusual authentication patterns or rare locations. They appear during triage and investigation without requiring a separate alert.
Endpoint Hygiene
Endpoint Hygiene shows posture signals for endpoints, such as whether the firewall or disk encryption is enabled. It requires the Sekoia Endpoint Agent or a supported connector.
Vulnerability enrichment
Vulnerability enrichment shows whether an asset is affected by known CVEs. It requires a connected vulnerability scanner.
→ Vulnerability list and score
When to use Reveal
Use Reveal when you need asset context that your alerts do not provide. Typical situations include:
- Triaging an alert on an asset you do not recognize.
- Assessing whether a compromised asset can reach sensitive systems.
- Identifying assets that are vulnerable or poorly protected before an incident occurs.
- Investigating lateral movement during an active case.
Get started
To enable and configure Reveal, follow the Getting started with Reveal guide. It describes the required data sources, the recommended setup order, and how to validate each capability.
Related links
- Collect — Assets: Documentation on how assets are configured, discovered, and managed in Sekoia.
- Detection — IOC detection: Overview of detection capabilities in Sekoia, including rule-based and analytics-driven approaches.
- Integration — Asset categories: Reference for asset connector categories and integration setup.