Cytomic Orion

Main new features in this version

• Dashboards
  Improvements to the organization’s data usage dashboards: Usage by client.
  
  
  1. We have added a new dashboard that enables you to analyze data usage for the queries launched for the organization’s clients.
  
  
  2. Usage details are reported in a similar way as on the Users tab. You can see the client name and ID, an evolution graph, the total data used, and the number of queries.
  
  New dashboard with information about the data assigned to the organization.
  
  
  1. This dashboard shows the evolution of data assigned to the organization in the last 365 days.
• Notifications
  Email notifications when data usage exceeds 80%, 90%, or 100% of the data assigned.
  
  
  1. As of this version, users receive an email when the organization’s data usage exceeds 80%, 90%, or 100% (as appropriate) of the total amount of data assigned.
• Hunting rules
  Ability to delete hunting rules.
  
  
  1. We have added the ability to delete hunting rules. Only users who have the Manage hunting rules permission can delete hunting rules. You can delete hunting rules from the action bar or from the context menu.
• Activity audit
  New Activity log section in the Settings menu.
  
  We have added a new organization-level activity log in the Settings section. In this first version, the logged actions are:
  
  
  1. User logins.
  
  
  2. User logouts.
  
  
  3. User logouts due to inactivity.

Main new features in this version

• Single Sign-On (SSO) from Cytomic Central
  This version includes the changes required to enable access to Orion from Cytomic Central (https://central.cytomic.ai).
  Cytomic Central is the common entry point for all Cytomic products. After this version is released, access to Orion through SSO will be enabled (scheduled for April 7, 2022).
• Notebooks
  We have made improvements to the notebook execution process.

Main new features in this version

• Dashboards
  
  1. Improved data consumption widget for organizations. We have added a bar to the data consumption widget. This bar provides a graphical representation of the data used by the organization compared to the set limit.
     This widget is visible to all users and shows the total amount of data used in the current month (from day 1 of the month).
     The bar changes color based on the usage percentage, switching from purple to orange when data usage nears 90%, and turning red when it exceeds 90%.
  
  
  2. New panels with information about data usage for the organization. We have added two new panels that enable you to analyze data usage for the queries launched by users or applications in the organization.
     To view this data, you must have a new permission: “View data consumption dashboard”.
     The first panel shows data usage by user (or application name), and the second one shows data usage by query.
• Remote Shell
  
  1. Remote Shell command audit. As of this version, you can view the actions taken in a remote session (operations with files, processes, and services).
• Hunting rules
  
  1. Ability to exclude clients from a hunting rule. We have added the ability to exclude clients when you define a hunting rule. To do this, click ‘All clients except these’ from the Clients drop-down menu.
• Investigations
  
  1. Improved workspace for investigations: tab groups. With this new feature, you can create up to two tab groups in an investigation details. This enables you to adapt and customize the investigation workspace to your needs, as you can see the content of two tabs for the same investigation at the same time.
• Graphs
  
  1. New Download event in graphs: We have added a new event (Download) to the activity graph of processes.

Main new features in this version

• Hunting rules
  
  1. “Operating systems” column in the Hunting Rules list. A new “Operating systems” column has been added to the Hunting Rules list. You can now sort or filter the list by operating system.
• Indicators
  
  1. “Operating systems” column in the Indicators list. A new “Operating systems” column has been added to the Indicators list. You can now sort, filter, or group the list by operating system.
• Graphs
  
  1. Ability to run automated notebooks from a graph with context information. When viewing a graph, you can switch from the graph to a notebook. For that, a new “Automated investigation” option has been added to the context menu of nodes.
• Investigations
  
  1. Ability to move indicators. There are now more options for moving indicators between investigations. Starting from this version, you can move an indicator from an ongoing investigation to a new investigation.

Main new features in this version

• Graphs
  
  1. Predefined filters in graphs. The search bar of graphs enables you to apply different predefined filters to the data shown: by node type (processes, IP addresses, etc.) and classification (goodware, malware, suspicious item, etc.). This selects all nodes that meet the applied filters.
• Console
  
  1. Ability to send console notifications by email. You can select whether you want to receive console notifications by email.
• User management
  
  1. Improved user management interface. The user list has been improved to show, in the center pane, user roles and the client groups visible to each user. The list can be sorted by different criteria, filtered, and exported.
• Advanced queries
  
  1. New tables available in advanced queries. The “Evidence” and “Indicators” new tables contain unaggregated information about the evidence that triggered indicators as well as indicators themselves.
• API
  
  1. New “machines” method. This method has two functionalities:
  
  
  1. Given a client ID, the method returns all of the client’s machines and the first time/last time they were seen.
  
  
  2. Given a client ID and a machine name as parameter, the method returns all of the client’s machines that contain the specified string and the first time/last time they were seen.
• NotebookLib
  
  1. Configurable execution order and timeline components. In the NotebookLib library, you can configure the field by which to sort the execution order and timeline components.

Main new features in this version

• IOCs API
  
  1. IOC searches from the API show only clients visible to the user: When a user uses the API endpoint to retrospectively search for IOCs (IP/Domain/MD5/URL), search results are limited to clients visible to the user.
  
  
  2. Client IDs included in response DTOs: The response DTO returned after running a retrospective IOC search now includes the client the machine belongs to.
  
  
  3. Expiration date as a parameter when importing IOCs: Up to now, when importing an IOC, the user included the expiration date as part of the URL. Example:
  
  
  1. https://..................../iocs/Url?ttlDays=10
     
  As of this version, this parameter is configured at IOC level, so you can configure a different date for each IOC when importing multiple IOCs at the same time, by adding the parameter “DaysToExpiration”:10 to the body of each IOC in the request.

Main new features in this version

• Graphs
  
  1. Ability to hide nodes after you run a search. Up to now, when you ran a search on a graph in Orion, results were highlighted in the graph. As of this version, you can also hide nodes that do not match search results.
• Console
  
  1. Console notifications. This new feature enables all users to receive notifications from Cytomic. It provides a new communication channel to inform users of new versions, planned maintenance operations, service incidents, etc.

Main new features in this version

• Graphs
  
  1. Ability to select search results. You can select results when searching in graphs. This is useful for, for example, deleting selected nodes, getting information about their child nodes, or being able to group nodes in the future.
  2. Improved graph creation times.
  3. Improved default zoom in graphs. Up to now, when a graph was created, it took too much space. Graph representation has been improved to make graphs fit the available space better.
• Client visibility
  
  1. Client visibility is respected in data explorations: When exploring data (from a notebook, through the API, or with an advanced query from the console), users can see results only from clients they have permissions on.

Main new features in this version

• Graphs
  
  1. Graph searches. Users can now search for items in graphs. Items that match the search criteria are highlighted.
• Indicators
  
  1. Ability to move indicators between existing investigations: Users can now move indicators between investigations, either from a specific investigation or from the indicator grid.

Main new features in this version

• Hunting rules
  
  1. Rules for notifying indicators by email. Users can create notification rules based on indicator characteristics (Clients, Severity, or Hunting Rules). Also, users can associate each rule with N email addresses that will receive the notification, and configure notification limits.
• Notebooks/Graphs
  
  1. Optional save. When saving a newly created document (either a graph or a notebook), three options are shown: Save, Don’t save, or Cancel.
• API
  
  1. New method for getting machine info for a list of devices. (Up to now, there was a method that enabled you to get information for a single machine in a call).

Main new features in this version

• Investigations
  
  1. Added a new column (Assigned to) to the investigation selector from which you can add an indicator to an open investigation.
• User management
  
  1. Created a new role (Full Control), which automatically grants users access to all features provided by Orion (current and future). This role cannot be modified.

Main new features in this version

• Graphical representation (Graphs)
  
  1. When exiting a graph, you are asked if you would like to save the changes made.
  2. Ability to perform actions on multiple nodes: After you select multiple nodes you can, provided all selected nodes support this feature, perform a number of actions on all of them simultaneously. For example, display the parent node of the nodes, their child nodes, show all their activities, etc.
• Indicators
  
  1. Ability to manually delete indicators: The behavior with deleted indicators is similar to the behavior with excluded indicators: After they are deleted, they are sent to the recycle bin, where they are kept for seven days. After that time, they are permanently deleted. Until then, deleted indicators can be restored from the recycle bin at any time.

Main new features in this version

• Graphical representation (Graphs)
  
  1. Users can view if a process has child processes or not. The aim of this feature is to show terminal nodes (without child processes) and non-terminal nodes (with child processes).
  2. Non-terminal nodes show the number of child processes of each type (E.g.: N processes, Y communications, Z data access, etc.).
• Investigations
  
  1. Ability to close investigations. When a user is working on the console and opens investigations, these are displayed in the navigation bar. This new feature enables users to close investigations so that the memory taken up by each investigation in the user’s browser is freed.
• Indicators
  
  1. Deletion rules now support MUID and MachineName lists. Up to now, only one MUID/MachineName could be associated with one deletion rule. This feature allows N MUIDs/MachineNames to be associated with one rule.
  1. NOTE: Comma-separated lists are allowed.
  2. ‘Select all’ feature. Ability to select all lines for groups and other items contained in the views displayed from the Indicators feature in order to add ‘all’ selected indicators to an investigation, create a new investigation, or delete indicators (this latter option will be available in the next release).
• User management
  
  1. ‘All clients’ group. Added a new group (‘All clients’) for all organizations. This group will contain all existing and future clients provisioned to an organization. This group is read only.

Main new features in this version

• Hunting rules
  Up to now, any condition of a hunting rule was case sensitive, that is, uppercase and lowercase letters were treated as distinct in both the condition and events. From this version on, when creating a hunting rule, you can choose whether the condition is case sensitive or not, that is, whether a distinction will be made between uppercase and lowercase letters in both the condition and the events to be matched against the rule.
• Graphical representation (Graphs)
  Multiple layers in nodes. Users can now show/hide information on graphs. Additionally, the changes made to the information to be shown/hidden on a graph persist if you navigate from the graph. The layers you can show/hide are as follows:
  
  
  1. Execution sequence
  2. Names displayed in the edge labels
  3. Node names
• Indicators
  
  1. Managing deletion rules from “Settings”: ability to manage deletion rules from the “Settings” section.
  1. List of deletion rules: ability to list all deletion rules a user can view. You can filter and search for rules in the grid.
  2. Ability to edit/delete deletion rules.
  To edit/delete deletion rules, the user must have the “Manage deletion rules” permission.
  2. Ability to “select all” items in the grid: From this version on, users can select all items in the indicator view with any type of filter applied to the grid.
  1. NOTE: This version still doesn’t enable users to select all items in a group at once.

Main new features in this version

• Custom hunting rules by client
  From this version on, when creating a custom hunting rule, you can choose the client or client group the rule will be applied to, including all clients in the organization.
  
• Graphical representation (Graphs)
  This release includes the following improvements to the Graphs feature:
  
  • Display of new PE file-related events:
    1. Create
    2. Rename
    3. Modify
    4. Delete
  • Event sequence: Each edge is assigned a sequential number based on the date when the event occurred.
  • The node icons have been replaced with icons of the most popular applications.

Main new features in this version

• Graphical representation (Graphs). This release includes the following improvements to the Graphs feature:
  
  
  1. The color of each node identifies the classification of the item: Unknown/PUP/suspicious files are indicated with an orange node, malware files are indicated with a red node, etc.
  2. The icon of each node identifies the action taken on the item (whether it was blocked, the process was killed, the file was quarantined, etc.)
  3. Added the ability to view ‘All the activity’ performed by a process
  4. Improvements to the context menu of nodes (visual appearance, sorting of options, etc.)
• OSQuery. From this version on, analysts can get full details of OSQuery jobs in order to identify the status of each job on the computers where the query was launched:
  
  
  1. Identify all machines where the query was launched
  2. Identify all machines where the query completed successfully
  3. Identify all machines where the query failed and why
  4. Identify all machines where the query is in Pending status or was canceled due to timeout

Main new features in this version

• Graphical representation (graphs)
  
  1. From this version on, analysts have graphs available that provide graphical aid in investigations. Use cases:
  2. New users in a client: If two time windows exist, you can get the users that performed new activities in the second time window.
  3. Process activity: Ability to view all the activities performed by a process. Also, you can query the items in the graph and iterate over it (for example, to view the activities performed by the child processes of a parent process).
• Hunting rules
  
  1. Ability to add MITRE tactics/techniques when creating/editing hunting rules. Also, these techniques are displayed in the list of rules.

Main new features in this version

• Custom hunting rules
  
  1. From this version on, analysts can create their own hunting rules using a ‘Rule Builder’, assign a risk level to them, and enable/disable them at any time. These rules will be checked against the event stream in real time.
  2. The rule creation process includes a validation step to ensure that the new rule generates a manageable number of indicators, prompting the analyst to review the rule if it doesn’t.
  3. Additionally, users in the organization will have a list of all available hunting rules: both rules created by the users in the organization and those created by Cytomic, as well as the ability to export the list.

Main new features in this version

• Queries
  
  1. From this version, when searching for a client in the query wizard, you can only search for clients you have permissions on.
• Forensic analysis/Manual investigation of events
  
  1. Added, in the result grid, the ability to group records by columns, in the same way as with you do with other features (indicators, advanced queries, etc.).
  2. From now on, you can access the events for a specific machine or file using a URL: https://orion.cytomicmodel.com/forensics/muid/{MUID}/md5/{MD5}, where you have to specify the relevant MUID and MD5 values. The user needs to be authenticated to use this feature.
  3. Data lake consolidation so that all occurrences of the same NetworkOps event are aggregated and only one event is logged every 15 minutes. The "Times" field will display the number of events occurred during those 15 minutes.
• API
  
  1. Added the ability to get all details about a specific machine (MUID).
  2. Added the ability to run advanced queries.
• DPA
  
  1. When a user logs in to the console, they now have to accept the Data Processing Agreement (DPA).

New features

• Indicators and hunting rules
  1. Exclusions: Exclusions are set by default with maximum restrictions (all filters are preselected). This can be changed at a later stage.
  2. Usability: Filters are kept throughout the user session so that users can navigate from one section to another without having to set the same filters over and over again.
  3. Hunting rules for account discovery and privilege escalation on Linux systems: Added four new hunting rules for Linux devices:
  1. TA0007 – Discovery
  1. T1087 - Account Discovery – Hunting Rule: CatShadowRule
     Detects the execution of the Linux “cat” command to see the content of the /etc/shadow file in Linux. This file stores encrypted passwords and provides information about account expiration and validity.
  2. T1087 - Account Discovery – Hunting Rule: GetentPasswdRule
     Detects the execution of the getent passwd Linux command, which enables access to databases of users, groups, devices, etc. This would enable an adversary to get all this user account data.
  3. T1087 - Account Discovery – Hunting Rule: CatPasswdRule
     Detects the execution of the Linux “cat” command to see the content of the /etc/passwd file. This is the file where system users are registered, as well as passwords and privileges. It determines therefore, who can legitimately access the system and what they are permitted to do.
  2. TA0004 - Privilege Escalation
  1. T1169 – Sudo – Hunting Rule: CatSudoersRule
     Detects exposure of the content of the sudoers file, executing the Linux “cat” command. This could lead to privilege escalation on the system.
• Exploration
  
  1. You can now change the size of query panels just as you do with indicators.
• Forensic analysis/Manual investigation of events
  
  1. Optimized navigation of the process tree.
  2. You can now change the size of query panels just as you do with indicators.
  3. From now on, as long as we are validated in Orion, it will be possible to access the forensic analysis, without being in an investigation, through a URL that admits as parameters the machine identifier (MUID) and the date "from" and "to ”From the analysis.
     It will also be possible to indicate an md5 as a parameter and obtain the computers where the hash has been identified.
• Investigations with Notebooks
  
  1. Added option to export to HTML.
• Reports
  
  1. Added a report to view data usage per user.
• API
  
  1. Added the ability to query Cytomic’s Threat Intelligence using a list of hashes. Up to now, you could only perform queries with one hash at a time.
  2. Added the ability to query for a computer’s MUID using the MachineName.

New features

• Added the ability to create users with the same login info in different organizations.
• Improved indicator removal feature:
  
  1. Multi-client removal rules that take into account the user’s permissions on clients.
  2. Automatic insertion/removal of escape characters in removal rules.
• In advanced queries on the data lake, results are now displayed in descending order based on the total number of items.
• In forensic analyses, when selecting the “From” date, the “To” date is automatically set to the same value as the “From” date.

New features

• Integration of OSQuery for multi-endpoint and multi-client operations. The new version of Cytomic Orion expands its capabilities with OSQuery, a key tool in investigations, enabling organizations to query in real time about numerous entities, attributes, and system statuses across all protected endpoints.
  This new feature enhances the existing capabilities of the Cytomic platform, which allows remediation actions to be taken in real time from the cloud and simplifies the detection and investigation of security incidents across one or multiple organizations, all through a single deployed agent.
  It is important to note that for the OSQuery feature to work correctly, it is necessary:
  
  1. To enable it on the backend. To do so, please contact your sales representative or Cytomic’s support department.
  2. The Windows agent must be version 1.16.10.0000 or later.
• New interface for easier investigation management. Until now, the information provided for each investigation in the list of investigations was scarce and did not allow for good management. The new version includes a new organization of the list of investigations, providing the following information for each investigation: assigned analyst, severity, status, classification, and creation date.
  Additionally, the client selector now displays the client name, if the user has the required permission.
• MITRE ATT&CK for Linux. The new version adds new threat intelligence data from the MITRE ATT&CK framework. This improves the detection of threat actors by applying real-time analysis of the behavior of Linux endpoints and servers.
  The new threat indicators detected thanks to this intelligence are directly mapped to the various attack techniques described by the MITRE ATT&CK framework for Linux.
  This threat intelligence for Linux systems extends the already-existing, ever-evolving intelligence based on the behavioral analysis of Windows systems. Both the intelligence for Linux and the intelligence for Windows are mapped to the MITRE ATT&CK framework.
• Ability to delete users. As of this version, users with the appropriate permission can delete other users. Reactivating a user in the same organization entails recovering the information about the user that existed before the deletion.
• Orion API adaptations. As of July 8, the API domain will change to API.Orion.Cytomic.ai. The current domain will remain active until August 8.
  In IOCs search methods, the detail of the indicators is also returned in JSON format, to facilitate the integration, through the optional parameter (showDetailsJson).
  In the Indicators methods clues query, the timestamp is the time of the last occurrence.
  In addition, some items have been homogenized:
  
  1. Parameters (FileHashIoc becomes Hash and DomainIoc becomes Domain).
  2. “-“ added to MUIDs in IOCs lookups.
  3. URLs are homogenized in IOCs searches. Example:

     Now: / applications / iocs / IpIoc? TtlDays = 3000 & retrospective = True

     Homogeneous path: / applications / iocs / Ip? TtlDays = 3000 & retrospective = True

New features

• INDICATORS – MITRE ATT&CK. Information about tactics and techniques from the ATT&CK Matrix for Enterprise is included with each indicator.
  MITRE ATT&CK provides the analyst with actionable context information and helps them to understand the objectives, attack vectors, how the intrusion occurred, and any actions carried out.
  It also provides security teams with a guide to identify weaknesses in existing security controls.
• INVESTIGATION FILTERS TO IMPROVE USABILITY. In an investigation, you can change the status, its resolution, priority and clients impacted, or delegate it to other members of the security operations team. To make it easier to manage, search filters with the following characteristics have been incorporated.
• FILTERS FOR QUERIES ON INDICATORS ON API_ORION. Indicator queries on API_Orion allow you to filter results using input parameters such as: Machine name or ID; Indicator identifier; or hunting rules that trigger the indicators.
• NEW, MORE INTUITIVE ICONS IN THE INVESTIGATION CONSOLE. We've changed the icons for the different types of events in the investigation console, with the aim of making them more intuitive. This document provides a description of the new icons and their relation to the previous ones.

New features

• INDICATORS. Starting with this version, the internal threat intelligence data that triggered each Indicator is described in detail, leveraging the real-time telemetry captured at the endpoints.
  This information is always updated. The next version will also integrate detailed information from the MITRE ATT&CK for Enterprise framework.
• CASE ASSIGNMENT AND EMAIL NOTIFICATIONS. In organizations with analyst teams and management levels, it is necessary to delegate or assign investigations among analysts.
  For example, triage of Indicators is done by Tier 1 Analysts, who open new investigations and assign them to Tier 2 Analysts who, in turn, investigate incidents in detail and may respond to threats.
  This version allows to assign investigations among analysts, enabling by default the assignment notifications via email.
  When notifications are enabled, the analysts receiving them will be able to access directly (through a link in the email) the investigations in Cytomic Orion.
• JUPYTER NOTEBOOKS AND PDF REPORTS. From the presentation mode in a Jupyter Notebook, either static or interactive, it is possible now to generate and download the notebook in .pdf format. This way, it will be possible to send and share conclusions or reports to another member of the team, to a customer, etc.
• MANAGEMENT OF JUPYTER NOTEBOOKS IN INVESTIGATIONS. This version improves the search, filter and organization of Notebooks used in investigations, allowing filtering, ordering, arrangement in columns, etc.

Bug fixes

• A number of problems with the visualization of endpoint details have been fixed.

New features

• Name changes. The names of some sections have changed (Alerts to Indicators and Cases to Investigations), as well as the names of some of the actions available from the console, using industry terminology.
• Alert (indicator) exclusions. All excluded indicators can now be seen in a new section called ‘Bin’ in the Indicators section. From this ‘Bin’ it is possible to delete and recover excluded indicators.
• The exclusion rules can now be edited and deleted.
• New validator for regex-type regular expressions that can be used in the exclusion rules.
• The excluded indicators are now deleted automatically after seven days. Indicators that clients had excluded in previous versions are automatically deleted on updating to this new version.
• Improvements to cases (investigations). Now a priority (critical / high / medium / low) can be established and a classification (confirmed attack / potential attack / investigation without confirmed attacks) in order to easily identify the open cases that require more urgent attention.
• Option to add text comments and images to cases (investigations). Everything added remains registered specifying who, when and what comments have been added to the investigation.
• Design improvements in the alerts (indicators) section, displaying the filters and details of the indicators on the right.
• Design improvements also in the cases (investigations) section.
• Shortcut added to the release notes from the menu displayed in the top right of the console.
• Control over the maximum number of events viewable on a computer (150,000).
• Ability to request details of indicators in the get_alerts method both in calls to the Threat Hunting library from notebooks and calls to the API that can be used for integrations.

Bug fixes

• Fixed dates that were displayed correctly in certain cases.

New features

• Introduced the new RESPONSE API. This API can be used to contain and eradicate threats in an automated way. It can be used in different integrations, for example, with SOAR tools. This RESPONSE API provides two functionalities which will be extended in future versions (isolate computers and restart computers). Example use case: Organizations can import IOCs using the API and, if an IOC is detected, isolate the computer.
• Ability to query IOCs synchronously via APIquery IOCs synchronously via API. The API lets analysts synchronously get the machines where a file hash, URL, IP, or domain IOC has been seen.
• Optimized loading of alerts. In organizations with many alerts, it took several seconds for alerts to be loaded and displayed. This has been dramatically optimized. 500 alerts are initially downloaded and the remaining alerts are downloaded as the client scrolls down.
• New presentation mode for Jupyter Notebooks. This mode shows results in full screen mode by default without displaying the source code.
• Added summary information to the details field of events. This makes it easier to see all details of events at a glance, helping analysts conduct investigations more efficiently.

New features

• Introduced an API to feed Orion with CyberThreat Intelligence. This API allows us to incorporate hash, URL, IP, and domain IOCs into Orion. Analysts will be able to search for these IOCs in real time against newly-generated telemetry as well as against historical telemetry from the past 365 days. If a match is found, an alert will be generated.
• API to get Orion alerts. Useful for creating automations based on the alert information or to feed the SIEM with our alerts via API.
• API to get extended file information. This API allows analysts to get the machines and paths where a specific hash has been seen.
• Ability to create application users in Orion. These are required to use the Orion API. These users may have limited client visibility and permissions on different APIs.

New features

• Made significant changes to the infrastructure in order to improve the robustness and scalability of the platform.
• This lays the foundations for having external-facing APIs.

New features

• Ability to configure time zones so that each user/analyst can view the time of the events in the console in their time zone or in other time zones. Particularly suited to companies with offices in multiple countries with different time zones.
• Automatic calculation of the ‘real’ time at which alerts are generated so that, if the local time is incorrect, the analyst can be provided with accurate information.
• Ability to display the local time and the ‘real’ time in queries and advanced investigations.
• Ability to import IOCs from Notebooks (as well as via API). You can designate a Notebook to import IOCs easily. IOCs can also be imported through the Threat Hunting library invoked from Notebooks.
• Ability to search for machines by name instead of by MUID as before.
• Ability to view detailed information about computers and their security status.

Buf fixes

• Fixed a security problem that could grant access to Notebooks belonging to other client accounts.

New features

• Permissions have been grouped together in the console for better understanding.
• Parameterized Notebooks and dialog boxes show entities of interest for quick and easy autocomplete.
• Improved design of reports exported to PDF format.
• New Threat Hunting library version. This version allows analysts to get machine list names with a single query and accepts MUID parameters to filter machines.

New features

• Ability to contain threats by isolating one or multiple computers.
• Ability to eliminate active threats by sending restart commands to one or multiple computers.
• Ability to remotely access computers for detailed investigation purposes. Supported actions: remote shell, file transfer, and ability to view and take action on all processes and services running on the target machine.
• Ability to access the Cytomic tool via remote shell. Supported actions: create a complete memory dump, create process dumps, delete files by hash or path with the ability to undo the action, capture traffic, launch NetInfo, list open ports, list running processes with loaded modules, and view the browsing history.
• Alerts notifying detections made by Cytomic EDR/EPDR’s advanced security policies.
• Ability to exclude alerts using regular expressions in order to reduce ‘noise’ for Alert Triage technicians.
• Ability to export the contents of Netbooks to PDF in order to generate reports that can be delivered to management or clients themselves.
• Context-sensitive help in key areas of the console.

• First version of Cytomic Orion, a data analytics solution that enables organizations to detect advanced threats, do threat hunting, and respond to incidents.
• Cytomic Orion complements Cytomic EDR/Cytomic EPDR by providing complete visibility into all relevant events occurring on endpoints and detecting anomalous activity through Artificial Intelligence and behavior pattern search techniques.