Indicators of Attack module panels/widgets

From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

Required permissions

Permissions Access to widgets

View detections and threats

  • Threat Hunting Service

  • Detections trend

  • Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix

  • Detected indicators of attack (IOA)

  • Indicators of attack (IOA) by computer

Permissions required to access the Indicators of Attack widgets

All widgets, except Threat Hunting Service, show only information generated by the computers on the network that are visible to the role associated with the administrator account used to access the console.

Advanced EDR shows detections with the Pending status in widgets when it detects suspicious activities on the customer network. See Introduction to IOA concepts.

For more information about the IOA detection grouping strategies implemented in Advanced EDR, see Groups of IOA-generated detections.

Threat Hunting Service

This widget shows a summary of the events, indicators, and IOAs for all computers and devices on the network, for a selected time, to help you determine if there are intrusion attempts.

Threat Hunting Service panel

Meaning of the data displayed
Data Description

Events

Number of actions carried out by programs installed on protected computers and monitored by Advanced EDR. These events are received as part of the telemetry and are stored on the Cytomic platform to look for suspicious behavior patterns.

This counter includes all detections on the network, regardless of the visibility assigned to the account that accesses the Advanced EDR console.

Indicators

Number of suspicious event patterns detected in the event data flow.

This counter includes all detections on the network, regardless of the visibility assigned to the account that accesses the Advanced EDR console.

Indicators of attack (IOA)

Number of indicators that are highly likely to be an attack.

Computers in RDP attack containment mode

Number of computers that experienced an attack through the RDP protocol and are in RDP attack containment mode.

Description of the data displayed in the Threat Hunting Service panel

Lists accessible from the panel

Hotspots in the Threat Hunting Service panel

Click the hotspots shown in Hotspots in the Threat Hunting Service panel to open these lists with these predefined filters:

Hotspot List Filter

(1)

Indicators of attack (IOA)

No filter.

(2)

Computer protection status

“RDP attack containment” mode = Yes

Filters accessible from the Threat Hunting Service panel

Detections trend

This widget includes a line and bar graph that shows the number of indicators, pending IOA detections, and archived IOA detections over time.

Detections Trend panel

To represent the different scales in the same diagram, the graph has two Y-axes:

  • The Y-axis on the left measures recorded pending and archived detections.

  • The Y-axis on the right measures indicators detected.

Meaning of the data displayed
Data Description

Indicators

Number of suspicious patterns detected in the event flow received.

Pending IOAs

Number of suspicious patterns that are highly likely to indicate an attack. An administrator has not analyzed or resolved the IOA.

Archived IOAs

Number of IOAs that an administrator has analyzed or resolved and marked as Archived.

Description of the data displayed in the Detections Trend panel

Hotspots in the Detections Trend panel

Click the hotspots shown in Hotspots in the Detections Trend panel to open the Indicators of attack (IOA) list with these predefined filters:

Hotspot Filter

(1)

None

(2)

Status = Pending

(3)

Status = Archived

Filters available in the Indicators of Attack (IOA) list

Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix

This widget shows a table of the number of IOAs detected during the selected time period, arranged by MITRE tactic and technique.

Point to a box to view:

  • The name and code of the tactic/technique

  • The total number of detections

  • The number of pending detections

An IOA detection has at least one tactic and one technique associated with it. However, not all IOA detections have sub-techniques associated with them.

To view the sub-techniques associated with an IOA detection, click Show sub-techniques.

Indicators of Atack (IOA) Mapped to the MITRE ATT&CK Matrix panel

Meaning of the data displayed
Data Description

Red number

Number of detections recorded, with Pending status, which use the specified tactic, technique, and sub-technique.

Black number

Total number of recorded detections (pending + archived) that use the specified tactic, technique, and sub-technique.

Show sub-techniques link

Shows the sub-techniques associated with the IOA. For each sub-technique, the panel shows the total number of pending detections (in red) or pending and archived detections (in black) that have that sub-technique associated with them.

Description of the data displayed in the Indicators of Attack (IOA) Mapped to the MITRE ATT&CK Matrix panel

Lists accessible from the panel

Hotspots in the Indicators of Attack (IOA) Mapped to the MITRE ATT&CK Matrix panel

Click the hotspots shown in Hotspots in the Indicators of Attack (IOA) Mapped to the MITRE ATT&CK Matrix panel to open the Indicators of attack (IOA) list with these predefined filters:

Hotspot Filter

(1)

Tactic = The tactic selected in the widget

(2)

  • Tactic = The tactic selected in the widget

  • Technique = The technique selected in the widget

(3)

Sub-technique = The sub-technique selected in the widget

Filters available in the Indicators of Attack (IOA) list

Detected indicators of attack (IOA)

This widget shows the distribution of IOA detections by type recorded during the selected time period. The greater the number of detections of a particular type, the larger the box within the widget.

Detected Indicators of Attack (IOA) panel

Meaning of the data displayed
Data Description

Red number

Number of pending detections of a given type recorded during the selected period.

White number

Total number of recorded detections (pending + archived) of a given type recorded during the selected period.

Description of the data displayed in the Detected Indicators of Attack (IOA) panel

Lists accessible from the panel

Hotspots in the Detected Indicators of Attack (IOA) panel

Click the hotspots shown in Hotspots in the Detected Indicators of Attack (IOA) panel to open the Indicators of attack (IOA) list with these predefined filters:

Hotspot Filter

(1)

Indicator of attack = The indicator of attack selected in the widget

(2)

  • Indicator of attack = The indicator of attack selected in the widget

  • Status = Pending

Filters available in the Indicators of Attack (IOA) list

Indicators of attack (IOA) by computer

This widget shows the distribution of detections for each computer on the network during the time period. The greater the number of detections on a particular computer, the larger the box within the widget.

Indicators of Attack (IOA) by Computer panel

Meaning of the data displayed
Data Description

Red number

Number of pending detections recorded on a specific computer during the selected period.

White number

Total number of recorded detections (pending + archived) on a specific computer during the selected period.

Description of the data displayed in the Indicators of Attack (IOA) by Computer panel

Lists accessible from the panel

Hotspots in the Indicators of Attack (IOA) by Computer panel

Click the hotspots shown in Hotspots in the Indicators of Attack (IOA) by Computer panel to open the Indicators of attack (IOA) list with these predefined filters:

Hotspot Filter

(1)

Computer

(2)

  • Computer

  • Status = Pending

Filters available in the Indicators of Attack (IOA) list