Indicators of Attack (IOA) module lists

Accessing the lists

You can access the lists in two ways:

From the top menu, select Status. From the side menu, select Indicators of attack (IOA). Click the relevant widget.

Or:

From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows the available lists.
In the Security section, select the Indicators of attack (IOA) list to see the corresponding template. Edit it and click Save. The list is added to the side menu.

Required permissions

Permission	Access to lists
View detections and threats	Indicators of attack (IOA)
Permissions required to access the Indicators of Attack (IOA) lists

Indicators of attack (IOA)

This list shows details of the IOAs detected on workstations and servers by Advanced EDR.

Each detection refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, a separate detection is generated for each computer.
If the same pattern-computer-type triplet is detected multiple times, detections are grouped and the security software shows the number of repetitions in the Occurrences field. For more information about the grouping algorithm, see Groups of IOA-generated detections.

Field	Comment	Values
Computer	Name of the computer where the IOA was detected.	Character string
Group	Folder within the Advanced EDR folder tree the computer belongs to.	Character string
Indicator of attack	Name of the internal rule that detected the pattern of events that triggered the detection.	Character string
Occurrences	Number of occurrences of the detection. For more information about the grouping algorithm applied, see Groups of IOA-generated detections.	Number
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Action	Type of action taken by Advanced EDR on brute-force attack against RDP IOAs: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Status	Archived: The detection no longer requires administrator attention because it was a false positive or was resolved. Pending: The detection has not been investigated by the administrator. See Indicators of attack (IOA).	Enumeration
Date	Date and time the IOA was last detected.	Date
Fields in the Indicators of Attack (IOA) list

Fields displayed in the exported file

Field	Comment	Values
Indicator of attack	Name of the rule that detected the pattern of events that triggered the detection.	Character string
Occurrences	Number of occurrences of the detection. For more information about the grouping algorithm applied, see Groups of IOA-generated detections.	Number
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Action	Type of action taken by Advanced EDR: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Status	Archived: The detection no longer requires administrator attention because it was a false positive or was resolved. Pending: The detection has not been investigated by the administrator. See Indicators of attack (IOA).	Enumeration
Date	Date and time the IOA was last detected.	Date
Date archived	Date the detection was last archived.	Date
Time until archived	The time elapsed between when the IOA was detected and when you verified it and took remedial action where necessary.	Date
Group	Folder within the Advanced EDR folder tree the computer belongs to.	Character string
IP address	The computer primary IP address.	Character string
Domain	Windows domain the computer belongs to.	Character string
Description	Brief description of the strategy used by the adversary.	Character string
Fields in the Indicators of Attack (IOA) exported file

Filter tool

Field	Description	Values
Search computer	Computer name.	Character string
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Action	Type of action taken by Advanced EDR: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Tactic	Category of the attack tactic that generated the detection, mapped to the MITRE matrix. To quickly find a specific tactic, enter the search terms in the text box. Click the icon and select the tactic that you want to filter the list by.	Character string
Dates	Time period when the detection was generated.	Last 24 hours Last 7 hours Last month
Status	Status of the detection.	Pending Archived
Indicator of attack	Name of the IOA that generated the detections to search for. To quickly find detections generated by a specific IOA, enter the search terms in the text box under the filter name. Click the icon and select the IOA that you want to filter the list for.	Character string
Technique	Category (and sub-category, if available) of the attack technique that generated the IOA, mapped to the MITRE matrix. When you filter by a technique, the list shows detections generated by IOAs that have that technique or one of its sub-technique associated. When you filter by a sub-technique, the list shows detections generated by IOAs that have that specific sub-technique associated. Techniques are identified by a character string in the TXXXX format. Sub-techniques are identified by a character string in the TXXXX.YYY format. To quickly find a specific technique, enter the search terms in the text box. Click the icon and select the technique that you want to filter the list by.	Character string
Filters available in the Indicators of Attack (IOA) list

Details page

Click an item in the list to open its details page. This page shows a detailed description of when and where the detection occurred, as well as details of the pattern of events that led to the detection.

Advanced IOAs also show the Activity tab. This tab shows all events that are part of the potential attack.

Field	Comment	Values
Status	Status of the detection, and date the status was assigned.	Pending Archived
Detection date	Date and time the IOA was last detected.	Date
Indicator of attack (IOA)	Name of the rule that detected the pattern of events that triggered the detection.	Character string
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Description	Description of the chain of events detected on the computer, and the consequences it could have if the attack achieves its objectives.	Character string
Advanced attack investigation (Not available for advanced IOAs)	Report with full details of the IOA that triggered the detection. Computer ID and date. Detected IOA type name. Detailed description of the internal functionality of the IOA that triggered the detection, mapped to the MITRE tactic and technique used. Operating system tools used in the attack. Computer details. Attack severity. Status of the computer with respect to the attack. Progress status of the attack. Users logged in at the time of the attack. IPs/URLs accessed. Daily repetitions of the attack. Diagram of the chain of processes involved in the attack. Advice for mitigating or remediating the attack. Reports are available for a month after the detection is generated. After this period, they are no longer accessible. Also, reports show events that have been part of the attack for the 30 days prior to the detection of the IOA.	Button
View attack graph (Not available for advanced IOAs)	Interactive diagram of the sequence of events that led to the detection. See Graphs.	Button
Action	Type of action taken by Advanced EDR: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Recommendations	Remedial actions recommended by Cytomic.	Character string
Fields on the IOA Details page

Details tab

Field	Comment	Values
Computer	Name and group of the affected computer. If the computer is in containment mode, the End RDP attack containment mode button appears. See Manual termination of RDP attack containment mode.	Character string
Detected occurrences	Number of occurrences of the IOA. For more information about the grouping algorithm applied, see Groups of IOA-generated detections.	Number
Last event	Date and time the event that triggered the IOA occurred.	Date
View full activity details	Available for advanced IOAs. See Activity tab.
View computer investigation	See Investigation tab.
Other details	Data in JSON format that includes fields relevant to the event that led to the generation of the IOA. See Format of the events contained in telemetry data.	Character string
Tactic	Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.	Character string
Technique	Category of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX format.	Character string
Sub-technique	Sub-category (if available) of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX.YYY format.	Character string
Platform	Operating system and environments where MITRE has previously recorded this type of attack.	Character string
Description	Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.	Character string
Fields on the IOA Details page

Activity tab

The details page for an advanced IOA shows an additional tab: Activity. This tab shows a list of all the events that triggered the detection. It enables you to see the sequence of steps taken by the malicious software and confirm or dismiss the attack.

Field	Comment	Values
Search	Filters the list by the contents of the Date and Action fields. You can type only a partial string.
Date	When the security software detected the event.	Date
Action	Summary of the event details. To get full details, click the event.	Character string
Export	Exports the list of events shown in the console to an Excel file.
Fields on the Activity tab

Click a row in the table to show the Event details side panel. This panel included two tabs:

Details: Shows detailed information for the event. For more information about the meaning of the fields, see Format of the events contained in telemetry data.
MITRE: Shows detailed MITRE information (for example, tactic, technique, sub-technique, and description). If the advanced IOA is associated with more than one technique, the MITRE tab shows the information in multiple sub-sections, one for each technique. All data on the MITRE tab is collected from the official website at https://attack.mitre.org/matrices/enterprise/.

Field	Description
Tactic	Name of the MITRE tactic associated with the advanced IOA. Tactics are identified by a character string in the TAXXXX format.
Technique	Name of the MITRE technique associated with the advanced IOA. Techniques are identified by a character string in the TXXXX format.
Sub-technique	Name of the MITRE sub-technique associated with the advanced IOA. Sub-techniques are identified by a character string in the TXXXX.YYY format.
Platform	Operating systems affected by the tactic and technique.
Permissions required	Permissions required to run the attack.
Description	Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.
Fields on the MITRE tab

Investigation tab

All types of IOAs enable you to open an Cytomic Orion investigation console to show all the telemetry collected on the computer for investigation purposes. To make your analysis easier, the investigation console focuses on the last event that triggered the IOA. You can trace back five days to review the context of the computer where the detection occurred, and trace forward one day to see the effects of the attack on the computer.

For more information about the investigation console, see Investigation section (5).

Groups of IOA-generated detections

To prevent too many detections in the management console, Advanced EDR groups two or more equal detections of the same IOA, showing the number of repetitions in the Occurrences field in the list of IOAs or in the Detected occurrences field on the IOA details page. To group two or more equal detections, they must be:

For the same IOA.
Detected on the same computer.
Detected close to each other in time.

The grouping algorithm that is used depends on the type of IOA and whether the computer is in Audit mode. For more information about how to enable or disable Audit mode, see Audit mode.

Detection grouping algorithm for standard IOAs

The security software logs the first detection and sets the Detected occurrences field to 1.
Equal detections made in the six hours after the first detection was logged are grouped together. The security software sends a detection at the end of each six-hour interval. (The Detected occurrences field indicates the total number of detections made.).
If the security software does not log an equal detection within a six-hour interval, then it does not send a detection for the interval.
After four intervals (24 hours), the process starts again.

Detection grouping algorithm for advanced IOAs

The security software logs the first detection and sets the Detected occurrences field to 1.
Equal detections made every hour after the first detection was logged are grouped together. The security software sends a detection at the end of each one-hour interval. (The Detected occurrences field indicates the total number of detections made.).
If the security software does not log an equal detection within the hour interval, then it does not send a detection for the interval.
After 24 hours, the process starts again.

Detection grouping algorithm for advanced IOAs with Audit mode enabled

Detections are not grouped if the computer is in Audit mode. The security software sends each detection with the Detected occurrences field set to 1.

Detection grouping algorithm for RDP attack IOAs

For more information about the network attack detection algorithm, see Detection and protection against RDP attacks.

Advanced EDR reports a maximum of 50 equal detections of the Network Attack IOA every 24 hours for each computer. For two detections of a Network Attack IOA to be considered the same, these conditions must be met:

The target computer must be the same.
The process involved on the target computer must be the same. Depending on the stage of the attack, this is the process that listens for the operating system RDP requests or any other process that is run remotely on the computer after a successful login preceded by multiple failed login attempts.