Indicators of attack (IOA) module lists

Accessing the lists

The lists can be accessed through two paths:

Click the Status menu at the top of the console. Click Indicators of attack (IOA) from the side menu and click the relevant widget.

Or:

Click the Status menu at the top of the console. Click the Add link from the side menu. A window opens with the available lists.
In the Security section, select the Indicators of attack (IOA) list to see the corresponding template. Edit it and click Save. The list is added to the side menu.

Required permissions

Permission	Access to lists
View detections and threats	Indicators of attack (IOA)
Permissions required to access the Indicators of attack (IOA) lists

Indicators of attack (IOA)

Shows details of the IOAs detected by Advanced EDR on workstations and servers. The generation of IOAs follows these rules:

Each IOA refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, a separate IOA is generated for each computer.
If the same pattern-computer-type triplet is detected several times during an hour, two IOAs will be generated: an initial one when the first is detected, and another every hour indicating the number of repetitions throughout that hour in the Occurrences field.

Field	Comment	Values
Computer	Name of the computer where the IOA was detected.	Character string
Group	Folder within the Advanced EDR folder tree the computer belongs to.	Character string
Indicator of attack	Name of the rule that detected the pattern of events that triggered the IOA.	Character string
Occurrences	Number of times an IOA is repeated in one hour.	Number
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Action	Type of action taken by Advanced EDR on Brute-force attack against RDP IOAs: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Status	Archived: The IOA no longer requires administrator attention because it is a false positive or it has been resolved. Pending: The IOA has not yet been investigated by the administrator. See Indicators of attack (IOA).	Enumeration
Date	Date and time the IOA was last detected.	Date
Fields in the Indicators of attack (IOA) list

Fields displayed in the exported file

Field	Comment	Values
Indicator of attack	Name of the rule that detected the pattern of events that triggered the IOA.	Character string
Occurrences	Number of times an IOA is repeated in one hour.	Number
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Action	Type of action taken by Advanced EDR: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Status	Archived: The IOA no longer requires administrator attention because it is a false positive or it has been resolved. Pending: The IOA has not yet been investigated by the administrator. See Indicators of attack (IOA).	Enumeration
Date	Date and time the IOA was last detected.	Date
Date archived	Date the IOA was last archived.	Date
Time until archived	Time that has elapsed between the IOA’s detection and the administrator verifying it and taking remedial action where necessary.	Date
Group	Folder within the Advanced EDR folder tree the computer belongs to.	Character string
IP address	The computer’s primary IP address.	Character string
Domain	Windows domain the computer belongs to.	Character string
Description	Brief description of the strategy used by the adversary.	Character string
Fields in the Indicators of attack (IOA) exported file

Filter tool

Field	Description	Values
Search computer	Computer name.	Character string
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Action	Type of action taken by Advanced EDR: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Tactic	Category of the attack tactic that generated the IOA, mapped to the MITRE matrix. To quickly find a specific tactic, enter the search terms in the text box. Click the icon and select the tactic that you want to filter the list by.	Character string
Dates	The time period in which the IOA was generated.	Last 24 hours Last 7 hours Last month
Status	The status of the IOA.	Pending Archived
Indicator of attack	Name of the IOA you want to search for. To quickly find a specific IOA, enter the search terms in the text box. Click the icon and select the IOA that you want to filter the list by.	Character string
Technique	Category of the attack technique or sub-technique that generated the IOA, mapped to the MITRE matrix. When you filter by a technique, the list shows the IOAs that have that technique or one of its sub-technique associated. When you filter by a sub-technique, the list shows the IOAs that have that specific sub-technique associated. Techniques are identified by a character string in the TXXXX format. Sub-techniques are identified by a character string in the TXXXX.YYY format. To quickly find a specific technique, enter the search terms in the text box. Click the icon and select the technique that you want to filter the list by.	Character string
Filters available in the Indicators of attack (IOA) list

Details page

Click an item in the list to open its details page. This page shows a detailed description of when and where the IOA occurred, as well as details of the pattern of events that led to the IOA.

Advanced IOAs also show the Activity tab. This tab shows all events that are part of the potential attack.

Field	Comment	Values
Detection date	Date and time the IOA was last detected. Date the IOA was archived if it has this status. Button to archive the IOA or to mark it as pending investigation.
Indicator of attack (IOA)	Name of the rule that detected the pattern of events that triggered the IOA.	Character string
Risk	Impact of the IOA detected: Critical High Medium Low Unknown	Enumeration
Description	Details of the chain of events detected on the customer’s computer, and the consequences it may have if the attack achieves its objectives.	Character string
Advanced attack investigation	Report with full details of the IOA: Computer ID and date. Detected IOA type name. Detailed description of the internal functionality of the IOA, mapped to the relevant MITRE tactic and technique. Operating system tools used in the attack. Computer details. Attack severity. Status of the computer with respect to the attack. Progress status of the attack. Users logged in at the time of the attack. IPs/URLs accessed. Daily repetitions of the attack. Diagram of the chain of processes involved in the attack. Advice for mitigating or remediating the attack.	Button
View attack graph	Interactive graph with the sequence of processes that led to the IOA. See Graphs.	Button
Action	Type of action taken by Advanced EDR: Reported Attack blocked See Automatic response to RDP attacks.	Enumeration
Recommendations	Actions recommended by Cytomic for the network administrator.	Character string
Computer	Name and group of the affected computer. If the computer is in containment mode, the End RDP attack containment mode button appears. See Manual termination of RDP attack containment mode.	Character string
Detected occurrences	Number of occurrences of the IOA. For more information about the grouping algorithm applied, see Grouping of indicators of attack.	Number
Last event	Date the event that triggered the IOA occurred.	Date
Other details	JSON with the relevant fields of the event that led to the generation of the IOA. See Format of the events used in indicators of attack (IOA).	Character string
Tactic	Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.	Character string
Technique	Category of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX format.	Character string
Sub-technique	Category of the attack sub-technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX.YYY format.	Character string
Platform	Operating system and environments where MITRE has previously recorded this type of attack.	Character string
Description	Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.	Character string
Fields in the IOA details page

Activity tab

The details page for an advanced IOA shows an additional tab: Activity. This tab shows all the events that triggered the detection. It enables you to see the sequence of steps taken by the malicious software and confirm or dismiss the attack.

Field	Comment	Values
Search	Filters the list by the contents of the Date and Action fields. You can type only a partial string.
Date	Date the event was logged.	Date
Action	Summary of the event details. To get full details, click the event.	Character string
Fields on the Activity tab

Events details

Select an event. A side panel opens with two tabs:

Details: Shows a number of fields for the event. For more information about the meaning of the fields, see Format of the events used in indicators of attack (IOA).
MITRE: Shows the tactic, technique, and sub-technique associated with the event, and their description. If the advanced IOA is associated with more than one technique, the MITRE panel groups the information in multiple sub-panels, one for each technique. All data on the MITRE tab is collected from the official website at https://attack.mitre.org/matrices/enterprise/.

Field	Description
Tactic	Name of the MITRE tactic associated with the advanced IOA. Tactics are identified by a character string in the TAXXXX format.
Technique	Name of the MITRE technique associated with the advanced IOA. Techniques are identified by a character string in the TXXXX format.
Sub-technique	Name of the MITRE sub-technique associated with the advanced IOA. Sub-techniques are identified by a character string in the TXXXX.YYY format.
Platform	Operating systems affected by the tactic and technique.
Permissions required	Permissions required by the adversary to carry out the attack described in the tactic and technique.
Description	Description of the tactic and technique according to MITRE.
Fields on the MITRE tab