Indicators List

The Indicators panel shows the indicators generated by the hunting rules and a number of columns that describe each indicator.

Field Description

Hunting rule

Name of the hunting rule that generated the indicator and description of the artifacts monitored on the client’s computer.

Status

Indicates whether the indicator has been assigned to an investigation and the indicator status.

  • In progress: The indicator is assigned to an investigation and a Tier 2 analyst is investigating it.

  • Pending: The indicator has still not been assigned to an investigation.

  • Closed: The indicator was assigned to an investigation and has been resolved.

Investigation

Name of the investigation associated with indicators with the status In progress or Closed.

Indicator date

Date the indicator was generated.

Last event

Date of the last event that led to the generation of the indicator. This date might not be the same as the Indicator date if there was a delay in generating the indicator, for example because of an interruption of the communication between the Cytomic Orion server and the client’s computer.

Computer

Name of the client’s computer where the indicator was detected.

Group

Group in the Cytomic EPDR console the computer belongs to.

Date deleted

Date a deletion rule was applied to the indicator and the indicator was moved to the bin.

Deleted by

Name of the deletion rule that moved the indicator to the bin.

MUID

Unique identifier of the client’s computer where the indicator was detected.

Client ID

Unique identifier of the client the computer where the indicator was detected belongs to.

Risk

Severity of the indicator impact: Critical, High risk, Medium risk, Low risk.

MITRE

Tactic, technique, and sub-technique associated with the hunting rule according to the MITRE specification. If there is more than one tactic and technique pair, they are separated by the character '#'. For more information, see Details Panel.

Occurrences

Number of times Cytomic Orion detected the same type of indicator repeatedly on the same computer. See Indicator Grouping

Details

Description of the indicator and name of the associated hunting rule. This specifies the type of suspicious event logged so that the Tier 1 team can triage the incident.

Operating systems

Operating systems searched by the hunting rule that detected the suspicious event.

Fields in the Indicators list

The Indicators panel provides this additional information:

  • Number of indicators the solution found based on the configured selection criteria: This appears at the top of the list (2).

  • Time zone: Change the time zone configured by default for the entire console. Set it using the control at the top of the list (2). This setting affects both the Indicator date column in the lists and the date format entered in the filter panel. See Settings Area.

Indicator Grouping

With the aim to not hinder analysts’ investigation activities with too long lists that show repeated indicators, Cytomic Orion groups indicators depending on where they were detected.

Indicators Detected on the Server

If hunting rules classify as a potential threat an event pattern that appears repeatedly in the telemetry that a computer sends to the server, Cytomic Orion generates these indicators:

  • A first indicator with the Occurrences field set to 1 when it detects the first pattern on the computer.

  • An indicator every hour. This indicator groups all detections made in that interval of time on the computer. The Occurrences field shows the number of detected occurrences.

Indicators Detected on a Computer

If the protection software installed on a computer classifies an event pattern that appears repeatedly on the computer as a potential threat, Cytomic Orion generates these indicators:

  • A first indicator with the Occurrences field set to 1 when it detects the first pattern on the computer.

  • An indicator every 6 hours. This indicator groups all detections made in that interval of time. The Occurrences field shows the number of detected occurrences.

Details Panel

Click the icon in the upper-right corner to open the Details panel. Two tabs appear:

  • Details: Shows fields with information about the selected indicator. See Indicators List

  • MITRE: Shows details of the MITRE tactic and technique associated with the hunting rule that generated the indicator. If the hunting rule is associated with more than one technique, the MITRE panel groups the information in drop-down tabs, one for each technique. The information shown on the MITRE tab is gathered from the official source, at https://attack.mitre.org/matrices/enterprise/

    Field Description

    Tactic

    Name of the MITRE matrix tactic related to the hunting rule that generated the indicator. Tactics are identified by a character string in the TAXXXX format.

    Technique

    Name of the MITRE matrix technique related to the hunting rule that generated the indicator. Techniques are identified by a character string in the TXXXX format.

    Sub-technique

    Name of the MITRE matrix sub-technique related to the hunting rule that generated the indicator. Sub-techniques are identified by a character string in the TXXXX.YYY format.

    Platform

    Operating systems affected by the tactic and technique.

    Required permissions

    Permissions required by the adversary to perform the attack described in the tactic and technique.

    Description

    Tactic and technique description according to the data published by MITRE.

    Fields on the MITRE tab