Indicators of Attack (IOA) module lists

Accessing the lists

You can access the lists in two ways:

  • From the top menu, select Status. From the side menu, select Indicators of attack (IOA). Click the relevant widget.

Or:

  • From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows the available lists.

  • In the Security section, select the Indicators of attack (IOA) list to see the corresponding template. Edit it and click Save. The list is added to the side menu.

Required permissions

Permission Access to lists

View detections and threats

  • Indicators of attack (IOA)

Permissions required to access the Indicators of Attack (IOA) lists

Indicators of attack (IOA)

This list shows details of the IOAs detected on workstations and servers by Advanced EDR.

  • Each detection refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, a separate detection is generated for each computer.

  • If the same pattern-computer-type triplet is detected multiple times, detections are grouped and the security software shows the number of repetitions in the Occurrences field. For more information about the grouping algorithm, see Groups of IOA-generated detections.

Field Comment Values

Computer

Name of the computer where the IOA was detected.

Character string

Group

Folder within the Advanced EDR folder tree the computer belongs to.

Character string

Indicator of attack

Name of the internal rule that detected the pattern of events that triggered the detection.

Character string

Occurrences

Number of occurrences of the detection. For more information about the grouping algorithm applied, see Groups of IOA-generated detections.

Number

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Action

Type of action taken by Advanced EDR on brute-force attack against RDP IOAs:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Status

  • Archived: The detection no longer requires administrator attention because it was a false positive or was resolved.

  • Pending: The detection has not been investigated by the administrator.

See Indicators of attack (IOA).

Enumeration

Date

Date and time the IOA was last detected.

Date

Fields in the Indicators of Attack (IOA) list

Fields displayed in the exported file

Field Comment Values

Indicator of attack

Name of the rule that detected the pattern of events that triggered the detection.

Character string

Occurrences

Number of occurrences of the detection. For more information about the grouping algorithm applied, see Groups of IOA-generated detections.

Number

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Action

Type of action taken by Advanced EDR:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Status

  • Archived: The detection no longer requires administrator attention because it was a false positive or was resolved.

  • Pending: The detection has not been investigated by the administrator.

See Indicators of attack (IOA).

Enumeration

Date

Date and time the IOA was last detected.

Date

Date archived

Date the detection was last archived.

Date

Time until archived

The time elapsed between when the IOA was detected and when you verified it and took remedial action where necessary.

Date

Group

Folder within the Advanced EDR folder tree the computer belongs to.

Character string

IP address

The computer primary IP address.

Character string

Domain

Windows domain the computer belongs to.

Character string

Description

Brief description of the strategy used by the adversary.

Character string

 

Fields in the Indicators of Attack (IOA) exported file

Filter tool

Field Description Values

Search computer

Computer name.

Character string

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Action

Type of action taken by Advanced EDR:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Tactic

Category of the attack tactic that generated the detection, mapped to the MITRE matrix.

To quickly find a specific tactic, enter the search terms in the text box. Click the icon and select the tactic that you want to filter the list by.

Character string

Dates

Time period when the detection was generated.

  • Last 24 hours

  • Last 7 hours

  • Last month

Status

Status of the detection.

  • Pending

  • Archived

Indicator of attack

Name of the IOA that generated the detections to search for.

To quickly find detections generated by a specific IOA, enter the search terms in the text box under the filter name. Click the icon and select the IOA that you want to filter the list for.

Character string

Technique

Category (and sub-category, if available) of the attack technique that generated the IOA, mapped to the MITRE matrix.

  • When you filter by a technique, the list shows detections generated by IOAs that have that technique or one of its sub-technique associated.

  • When you filter by a sub-technique, the list shows detections generated by IOAs that have that specific sub-technique associated.

Techniques are identified by a character string in the TXXXX format.

Sub-techniques are identified by a character string in the TXXXX.YYY format.

To quickly find a specific technique, enter the search terms in the text box. Click the icon and select the technique that you want to filter the list by.

Character string

 

Filters available in the Indicators of Attack (IOA) list

Details page

Click an item in the list to open its details page. This page shows a detailed description of when and where the detection occurred, as well as details of the pattern of events that led to the detection.

Advanced IOAs also show the Activity tab. This tab shows all events that are part of the potential attack.

Field Comment Values

Status

Status of the detection, and date the status was assigned.

  • Pending

  • Archived

Detection date

Date and time the IOA was last detected.

Date

Indicator of attack (IOA)

Name of the rule that detected the pattern of events that triggered the detection.

Character string

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Description

Description of the chain of events detected on the computer, and the consequences it could have if the attack achieves its objectives.

Character string

Advanced attack investigation

(Not available for advanced IOAs)

Report with full details of the IOA that triggered the detection.

  • Computer ID and date.

  • Detected IOA type name.

  • Detailed description of the internal functionality of the IOA that triggered the detection, mapped to the MITRE tactic and technique used.

  • Operating system tools used in the attack.

  • Computer details.

  • Attack severity.

  • Status of the computer with respect to the attack.

  • Progress status of the attack.

  • Users logged in at the time of the attack.

  • IPs/URLs accessed.

  • Daily repetitions of the attack.

  • Diagram of the chain of processes involved in the attack.

  • Advice for mitigating or remediating the attack.

Reports are available for a month after the detection is generated. After this period, they are no longer accessible. Also, reports show events that have been part of the attack for the 30 days prior to the detection of the IOA.

Button

View attack graph

(Not available for advanced IOAs)

Interactive diagram of the sequence of events that led to the detection. See Graphs.

Button

Action

Type of action taken by Advanced EDR:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Recommendations

Remedial actions recommended by Cytomic.

Character string

Fields on the IOA Details page

Details tab
Field Comment Values

Computer

Name and group of the affected computer. If the computer is in containment mode, the End RDP attack containment mode button appears. See Manual termination of RDP attack containment mode.

Character string

Detected occurrences

Number of occurrences of the IOA. For more information about the grouping algorithm applied, see Groups of IOA-generated detections.

Number

Last event

Date and time the event that triggered the IOA occurred.

Date

View full activity details

Available for advanced IOAs. See Activity tab.

 

View computer investigation

See Investigation tab.

 

Other details

Data in JSON format that includes fields relevant to the event that led to the generation of the IOA. See Format of the events contained in telemetry data.

Character string

Tactic

Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.

Character string

Technique

Category of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX format.

Character string

Sub-technique

Sub-category (if available) of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX.YYY format.

Character string

Platform

Operating system and environments where MITRE has previously recorded this type of attack.

Character string

Description

Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.

Character string

Fields on the IOA Details page

Activity tab

The details page for an advanced IOA shows an additional tab: Activity. This tab shows a list of all the events that triggered the detection. It enables you to see the sequence of steps taken by the malicious software and confirm or dismiss the attack.

Field Comment Values

Search

Filters the list by the contents of the Date and Action fields. You can type only a partial string.

 

Date

When the security software detected the event.

Date

Action

Summary of the event details. To get full details, click the event.

Character string

Export

Exports the list of events shown in the console to an Excel file.

 

Fields on the Activity tab

Click a row in the table to show the Event details side panel. This panel included two tabs:

  • Details: Shows detailed information for the event. For more information about the meaning of the fields, see Format of the events contained in telemetry data.

  • MITRE: Shows detailed MITRE information (for example, tactic, technique, sub-technique, and description). If the advanced IOA is associated with more than one technique, the MITRE tab shows the information in multiple sub-sections, one for each technique. All data on the MITRE tab is collected from the official website at https://attack.mitre.org/matrices/enterprise/.

Field Description

Tactic

Name of the MITRE tactic associated with the advanced IOA. Tactics are identified by a character string in the TAXXXX format.

Technique

Name of the MITRE technique associated with the advanced IOA. Techniques are identified by a character string in the TXXXX format.

Sub-technique

Name of the MITRE sub-technique associated with the advanced IOA. Sub-techniques are identified by a character string in the TXXXX.YYY format.

Platform

Operating systems affected by the tactic and technique.

Permissions required

Permissions required to run the attack.

Description

Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.

Fields on the MITRE tab

Investigation tab

All types of IOAs enable you to open an Cytomic Orion investigation console to show all the telemetry collected on the computer for investigation purposes. To make your analysis easier, the investigation console focuses on the last event that triggered the IOA. You can trace back five days to review the context of the computer where the detection occurred, and trace forward one day to see the effects of the attack on the computer.

For more information about the investigation console, see Investigation section (5).

Groups of IOA-generated detections

To prevent too many detections in the management console, Advanced EDR groups two or more equal detections of the same IOA, showing the number of repetitions in the Occurrences field in the list of IOAs or in the Detected occurrences field on the IOA details page. To group two or more equal detections, they must be:

  • For the same IOA.

  • Detected on the same computer.

  • Detected close to each other in time.

The grouping algorithm that is used depends on the type of IOA and whether the computer is in Audit mode. For more information about how to enable or disable Audit mode, see Audit mode.

Detection grouping algorithm for standard IOAs
  • The security software logs the first detection and sets the Detected occurrences field to 1.

  • Equal detections made in the six hours after the first detection was logged are grouped together. The security software sends a detection at the end of each six-hour interval. (The Detected occurrences field indicates the total number of detections made.).

  • If the security software does not log an equal detection within a six-hour interval, then it does not send a detection for the interval.

  • After four intervals (24 hours), the process starts again.

Detection grouping algorithm for advanced IOAs
  • The security software logs the first detection and sets the Detected occurrences field to 1.

  • Equal detections made every hour after the first detection was logged are grouped together. The security software sends a detection at the end of each one-hour interval. (The Detected occurrences field indicates the total number of detections made.).

  • If the security software does not log an equal detection within the hour interval, then it does not send a detection for the interval.

  • After 24 hours, the process starts again.

Detection grouping algorithm for advanced IOAs with Audit mode enabled

Detections are not grouped if the computer is in Audit mode. The security software sends each detection with the Detected occurrences field set to 1.

Detection grouping algorithm for RDP attack IOAs

For more information about the network attack detection algorithm, see Detection and protection against RDP attacks.

Advanced EDR reports a maximum of 50 equal detections of the Network Attack IOA every 24 hours for each computer. For two detections of a Network Attack IOA to be considered the same, these conditions must be met:

  • The target computer must be the same.

  • The process involved on the target computer must be the same. Depending on the stage of the attack, this is the process that listens for the operating system RDP requests or any other process that is run remotely on the computer after a successful login preceded by multiple failed login attempts.