Indicators of Attack (IOA) module lists
Accessing the lists
You can access the lists in two ways:
-
From the top menu, select Status. From the side menu, select Indicators of attack (IOA). Click the relevant widget.
Or:
-
From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows the available lists.
-
In the Security section, select the Indicators of attack (IOA) list to see the corresponding template. Edit it and click Save. The list is added to the side menu.
Required permissions
Permission | Access to lists |
---|---|
View detections and threats |
|
Indicators of attack (IOA)
This list shows details of the IOAs detected on workstations and servers by Advanced EDR.
-
Each detection refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, a separate detection is generated for each computer.
-
If the same pattern-computer-type triplet is detected multiple times, detections are grouped and the security software shows the number of repetitions in the Occurrences field. For more information about the grouping algorithm, see Groups of IOA-generated detections.
Field | Comment | Values |
---|---|---|
Computer |
Name of the computer where the IOA was detected. |
Character string |
Group |
Folder within the Advanced EDR folder tree the computer belongs to. |
Character string |
Indicator of attack |
Name of the internal rule that detected the pattern of events that triggered the detection. |
Character string |
Occurrences |
Number of occurrences of the detection. For more information about the grouping algorithm applied, see Groups of IOA-generated detections. |
Number |
Risk |
Impact of the IOA detected:
|
Enumeration |
Action |
Type of action taken by Advanced EDR on brute-force attack against RDP IOAs:
|
Enumeration |
Status |
|
Enumeration |
Date |
Date and time the IOA was last detected. |
Date |
Fields displayed in the exported file
Field | Comment | Values |
---|---|---|
Indicator of attack |
Name of the rule that detected the pattern of events that triggered the detection. |
Character string |
Occurrences |
Number of occurrences of the detection. For more information about the grouping algorithm applied, see Groups of IOA-generated detections. |
Number |
Risk |
Impact of the IOA detected:
|
Enumeration |
Action |
Type of action taken by Advanced EDR:
|
Enumeration |
Status |
|
Enumeration |
Date |
Date and time the IOA was last detected. |
Date |
Date archived |
Date the detection was last archived. |
Date |
Time until archived |
The time elapsed between when the IOA was detected and when you verified it and took remedial action where necessary. |
Date |
Group |
Folder within the Advanced EDR folder tree the computer belongs to. |
Character string |
The computer primary IP address. |
Character string |
|
Windows domain the computer belongs to. |
Character string |
|
Description |
Brief description of the strategy used by the adversary. |
Character string |
Filter tool
Field | Description | Values |
---|---|---|
Search computer |
Computer name. |
Character string |
Risk |
Impact of the IOA detected:
|
Enumeration |
Action |
Type of action taken by Advanced EDR:
|
Enumeration |
Category of the attack tactic that generated the detection, mapped to the MITRE matrix. To quickly find a specific tactic, enter the search terms in the text box. Click the |
Character string |
|
Dates |
Time period when the detection was generated. |
|
Status |
Status of the detection. |
|
Indicator of attack |
Name of the IOA that generated the detections to search for. To quickly find detections generated by a specific IOA, enter the search terms in the text box under the filter name. Click the |
Character string |
Category (and sub-category, if available) of the attack technique that generated the IOA, mapped to the MITRE matrix.
Techniques are identified by a character string in the TXXXX format. Sub-techniques are identified by a character string in the TXXXX.YYY format. To quickly find a specific technique, enter the search terms in the text box. Click the |
Character string |
|
Details page
Click an item in the list to open its details page. This page shows a detailed description of when and where the detection occurred, as well as details of the pattern of events that led to the detection.
Advanced IOAs also show the Activity tab. This tab shows all events that are part of the potential attack.
Field | Comment | Values |
---|---|---|
Status |
Status of the detection, and date the status was assigned. |
|
Detection date |
Date and time the IOA was last detected. |
Date |
Name of the rule that detected the pattern of events that triggered the detection. |
Character string |
|
Risk |
Impact of the IOA detected:
|
Enumeration |
Description |
Description of the chain of events detected on the computer, and the consequences it could have if the attack achieves its objectives. |
Character string |
Advanced attack investigation (Not available for advanced IOAs) |
Report with full details of the IOA that triggered the detection.
Reports are available for a month after the detection is generated. After this period, they are no longer accessible. Also, reports show events that have been part of the attack for the 30 days prior to the detection of the IOA. |
Button |
View attack graph (Not available for advanced IOAs) |
Interactive diagram of the sequence of events that led to the detection. See Graphs. |
Button |
Action |
Type of action taken by Advanced EDR:
|
Enumeration |
Recommendations |
Remedial actions recommended by Cytomic. |
Character string |
Details tab
Field | Comment | Values |
---|---|---|
Computer |
Name and group of the affected computer. If the computer is in containment mode, the End RDP attack containment mode button appears. See Manual termination of RDP attack containment mode. |
Character string |
Detected occurrences |
Number of occurrences of the IOA. For more information about the grouping algorithm applied, see Groups of IOA-generated detections. |
Number |
Last event |
Date and time the event that triggered the IOA occurred. |
Date |
View full activity details |
Available for advanced IOAs. See Activity tab. |
|
View computer investigation |
See Investigation tab. |
|
Other details |
Data in JSON format that includes fields relevant to the event that led to the generation of the IOA. See Format of the events contained in telemetry data. |
Character string |
Tactic |
Category of the attack tactic that generated the IOA, mapped to the MITRE matrix. |
Character string |
Technique |
Category of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX format. |
Character string |
Sub-technique |
Sub-category (if available) of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX.YYY format. |
Character string |
Platform |
Operating system and environments where MITRE has previously recorded this type of attack. |
Character string |
Description |
Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix. |
Character string |
Activity tab
The details page for an advanced IOA shows an additional tab: Activity. This tab shows a list of all the events that triggered the detection. It enables you to see the sequence of steps taken by the malicious software and confirm or dismiss the attack.
Field | Comment | Values |
---|---|---|
Search |
Filters the list by the contents of the Date and Action fields. You can type only a partial string. |
|
Date |
When the security software detected the event. |
Date |
Action |
Summary of the event details. To get full details, click the event. |
Character string |
Export ![]() |
Exports the list of events shown in the console to an Excel file. |
|
Click a row in the table to show the Event details side panel. This panel included two tabs:
-
Details: Shows detailed information for the event. For more information about the meaning of the fields, see Format of the events contained in telemetry data.
-
MITRE: Shows detailed MITRE information (for example, tactic, technique, sub-technique, and description). If the advanced IOA is associated with more than one technique, the MITRE tab shows the information in multiple sub-sections, one for each technique. All data on the MITRE tab is collected from the official website at https://attack.mitre.org/matrices/enterprise/.
Field | Description |
---|---|
Tactic |
Name of the MITRE tactic associated with the advanced IOA. Tactics are identified by a character string in the TAXXXX format. |
Technique |
Name of the MITRE technique associated with the advanced IOA. Techniques are identified by a character string in the TXXXX format. |
Sub-technique |
Name of the MITRE sub-technique associated with the advanced IOA. Sub-techniques are identified by a character string in the TXXXX.YYY format. |
Platform |
Operating systems affected by the tactic and technique. |
Permissions required |
Permissions required to run the attack. |
Description |
Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix. |
Investigation tab
All types of IOAs enable you to open an Cytomic Orion investigation console to show all the telemetry collected on the computer for investigation purposes. To make your analysis easier, the investigation console focuses on the last event that triggered the IOA. You can trace back five days to review the context of the computer where the detection occurred, and trace forward one day to see the effects of the attack on the computer.
For more information about the investigation console, see Investigation section (5).
Groups of IOA-generated detections
To prevent too many detections in the management console, Advanced EDR groups two or more equal detections of the same IOA, showing the number of repetitions in the Occurrences field in the list of IOAs or in the Detected occurrences field on the IOA details page. To group two or more equal detections, they must be:
-
For the same IOA.
-
Detected on the same computer.
-
Detected close to each other in time.
The grouping algorithm that is used depends on the type of IOA and whether the computer is in Audit mode. For more information about how to enable or disable Audit mode, see Audit mode.
Detection grouping algorithm for standard IOAs
-
The security software logs the first detection and sets the Detected occurrences field to 1.
-
Equal detections made in the six hours after the first detection was logged are grouped together. The security software sends a detection at the end of each six-hour interval. (The Detected occurrences field indicates the total number of detections made.).
-
If the security software does not log an equal detection within a six-hour interval, then it does not send a detection for the interval.
-
After four intervals (24 hours), the process starts again.
Detection grouping algorithm for advanced IOAs
-
The security software logs the first detection and sets the Detected occurrences field to 1.
-
Equal detections made every hour after the first detection was logged are grouped together. The security software sends a detection at the end of each one-hour interval. (The Detected occurrences field indicates the total number of detections made.).
-
If the security software does not log an equal detection within the hour interval, then it does not send a detection for the interval.
-
After 24 hours, the process starts again.
Detection grouping algorithm for advanced IOAs with Audit mode enabled
Detections are not grouped if the computer is in Audit mode. The security software sends each detection with the Detected occurrences field set to 1.
Detection grouping algorithm for RDP attack IOAs
For more information about the network attack detection algorithm, see Detection and protection against RDP attacks.
Advanced EDR reports a maximum of 50 equal detections of the Network Attack IOA every 24 hours for each computer. For two detections of a Network Attack IOA to be considered the same, these conditions must be met:
-
The target computer must be the same.
-
The process involved on the target computer must be the same. Depending on the stage of the attack, this is the process that listens for the operating system RDP requests or any other process that is run remotely on the computer after a successful login preceded by multiple failed login attempts.