Indicators of attack (IOA) module lists

Accessing the lists

You can access the lists in two ways:

  • From the top menu, select Status. From the side menu, select Indicators of attack (IOA). Click the relevant widget.

Or:

  • From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows the available lists.

  • In the Security section, select the Indicators of attack (IOA) list to see the corresponding template. Edit it and click Save. The list is added to the side menu.

Required permissions

Permission Access to lists

View detections and threats

  • Indicators of attack (IOA)

Permissions required to access the Indicators of Attack (IOA) lists

Indicators of attack (IOA)

This list shows details of the IOAs detected on workstations and servers by Advanced EDR.

  • Each IOA refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, the security software generates a separate IOA for each computer.

  • If the same pattern is detected several times in an hour on the same computer, a minimum of two IOAs are generated — one when the first IOA is detected and one every hour that shows the number of occurrences in that hour.

Field Comment Values

Computer

Name of the computer where the IOA was detected.

Character string

Group

Folder within the Advanced EDR folder tree the computer belongs to.

Character string

Indicator of attack

Name of the rule that detected the pattern of events that triggered the IOA.

Character string

Occurrences

Number of times an IOA repeats in one hour.

Number

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Action

Type of action taken by Advanced EDR on brute-force attack against RDP IOAs:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Status

  • Archived: The IOA no longer requires administrator attention because it was a false positive or was resolved.

  • Pending: The IOA has not been investigated by the administrator.

See Indicators of attack (IOA).

Enumeration

Date

Date and time the IOA was last detected.

Date

Fields in the Indicators of Attack (IOA) list

Fields displayed in the exported file

Field Comment Values

Indicator of attack

Name of the rule that detected the pattern of events that triggered the IOA.

Character string

Occurrences

Number of times an IOA repeats in one hour.

Number

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Action

Type of action taken by Advanced EDR:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Status

  • Archived: The IOA no longer requires administrator attention because it was a false positive or was resolved.

  • Pending: The IOA has not been investigated by the administrator.

See Indicators of attack (IOA).

Enumeration

Date

Date and time the IOA was last detected.

Date

Date archived

Date the IOA was last archived.

Date

Time until archived

The time elapsed between when the IOA was detected and when the administrator verified it and took remedial action where necessary.

Date

Group

Folder within the Advanced EDR folder tree the computer belongs to.

Character string

IP address

The computer primary IP address.

Character string

Domain

Windows domain the computer belongs to.

Character string

Description

Brief description of the strategy used by the adversary.

Character string
 

Fields in the Indicators of Attack (IOA) exported file

Filter tool

Field Description Values

Search computer

Computer name.

Character string

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Action

Type of action taken by Advanced EDR:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Tactic

Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.

To quickly find a specific tactic, enter the search terms in the text box. Click the icon and select the tactic that you want to filter the list by.

Character string

Dates

Time period when the IOA was generated.

  • Last 24 hours

  • Last 7 hours

  • Last month

Status

Status of the IOA.

  • Pending

  • Archived

Indicator of attack

Name of the IOA you want to search for.

To quickly find a specific IOA, enter the search terms in the text box. Click the icon and select the IOA that you want to filter the list by.

Character string

Technique

Category (and sub-category, if available) of the attack technique that generated the IOA, mapped to the MITRE matrix.

  • When you filter by a technique, the list shows the IOAs that have that technique or one of its sub-technique associated.

  • When you filter by a sub-technique, the list shows the IOAs that have that specific sub-technique associated.

Techniques are identified by a character string in the TXXXX format.

Sub-techniques are identified by a character string in the TXXXX.YYY format.

To quickly find a specific technique, enter the search terms in the text box. Click the icon and select the technique that you want to filter the list by.

Character string
 

Filters available in the Indicators of Attack (IOA) list

Details page

To open the details page for an IOA, click a computer row. This page shows a detailed description of when and where the IOA occurred, as well as details of the pattern of events that led to the IOA.

Advanced IOAs also show the Activity tab. This tab shows all events that are part of the potential attack.

Field Comment Values

Detection date

  • Date and time the IOA was last detected.

  • Date and time when the security software archived the IOA, if the IOA is archived.

  • Button to archive the IOA or to mark it as pending.

  

Indicator of attack (IOA)

Name of the rule that detected the pattern of events that triggered the IOA.

Character string

Risk

Impact of the IOA detected:

  • Critical

  • High

  • Medium

  • Low

  • Unknown

Enumeration

Description

Description of the chain of events detected on the computer, and the consequences it could have if the attack achieves its objectives.

Character string

Advanced attack investigation

(Not available for advanced IOAs)

Report with full details of the IOA:

  • Computer ID and date.

  • Detected IOA type name.

  • Detailed description of the internal functionality of the IOA, mapped to the relevant MITRE tactic and technique.

  • Operating system tools used in the attack.

  • Computer details.

  • Attack severity.

  • Status of the computer with respect to the attack.

  • Progress status of the attack.

  • Users logged in at the time of the attack.

  • IPs/URLs accessed.

  • Daily repetitions of the attack.

  • Diagram of the chain of processes involved in the attack.

  • Advice for mitigating or remediating the attack.

Reports are available for a month after the IOA is generated. After this period, you can no longer access them. The report also shows events that are part of the attack during the thirty days prior to detection of the IOA.

Button

View attack graph

(Not available for advanced IOAs)

Interactive diagram with the sequence of events that led to the generation of the IOA. See Graphs.

Button

Action

Type of action taken by Advanced EDR:

  • Reported

  • Attack blocked

See Automatic response to RDP attacks.

Enumeration

Recommendations

Recommended actions from Cytomic team for the administrator.

Character string

Fields on the IOA Details page
Details tab
Field Comment Values

Computer

Name and group of the affected computer. If the computer is in containment mode, the End RDP attack containment mode button appears. See Manual termination of RDP attack containment mode.

Character string

Detected occurrences

Number of occurrences of the IOA. For more information about the grouping algorithm applied, see Detection grouping.

Number

Last event

Date and time the event that triggered the IOA occurred.

Date

View full activity details

Available for advanced IOAs. See Activity tab.

  

View computer investigation

See Investigation tab.

  

Other details

Data in JSON format that includes fields relevant to the event that led to the generation of the IOA. See Format of the events contained in telemetry data.

Character string

Tactic

Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.

Character string

Technique

Category of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX format.

Character string

Sub-technique

Sub-category (if available) of the attack technique that generated the IOA, mapped to the MITRE matrix. It is identified by a character string in the TXXXX.YYY format.

Character string

Platform

Operating system and environments where MITRE has previously recorded this type of attack.

Character string

Description

Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.

Character string

Fields on the IOA Details page
Activity tab

The details page for an advanced IOA shows an additional tab: Activity. This tab shows a list of all the events that triggered the detection. It enables you to see the sequence of steps taken by the malicious software and confirm or dismiss the attack.

Field Comment Values

Search

Filters the list by the contents of the Date and Action fields. You can type only a partial string.

  

Date

When the security software detected the event.

Date

Action

Summary of the event details. To get full details, click the event.

Character string
Export

Exports the list of events shown in the console to an Excel file.

  

Fields on the Activity tab

Click a row in the table to show the Event details side panel. This panel included two tabs:

  • Details: Shows detailed information for the event. For more information about the meaning of the fields, see Format of the events contained in telemetry data.

  • MITRE: Shows detailed MITRE information (for example, tactic, technique, sub-technique, and description). If the advanced IOA is associated with more than one technique, the MITRE tab shows the information in multiple sub-sections, one for each technique. All data on the MITRE tab is collected from the official website at https://attack.mitre.org/matrices/enterprise/.

Field Description

Tactic

Name of the MITRE tactic associated with the advanced IOA. Tactics are identified by a character string in the TAXXXX format.

Technique

Name of the MITRE technique associated with the advanced IOA. Techniques are identified by a character string in the TXXXX format.

Sub-technique

Name of the MITRE sub-technique associated with the advanced IOA. Sub-techniques are identified by a character string in the TXXXX.YYY format.

Platform

Operating systems affected by the tactic and technique.

Permissions required

Permissions required to run the attack.

Description

Details of the tactics and techniques used by the IOA detected, according to the MITRE matrix.

Fields on the MITRE tab
Investigation tab

All types of IOAs enable you to open an Cytomic Orion investigation console to show all the telemetry collected on the computer for investigation purposes. To make your analysis easier, the investigation console focuses on the last event that triggered the IOA. You can trace back five days to review the context of the computer where the detection occurred, and trace forward one day to see the effects of the attack on the computer.

For more information about the investigation console, see Investigation section (5).