Indicators List

The Indicators panel shows the indicators that hunting rules detected on clients’ computers and fields that describe them.

The list shows only indicators generated by computers that belong to clients with a valid license assigned (active clients or clients in grace period), and indicators assigned to investigations, regardless of the client's license status. See Manage Investigations.

Use the fields in the list to filter the indicators. See Tools for Configuring Lists.

Field Description

Status

Indicates whether the indicator has been assigned to an investigation and the indicator status.

  • In progress: The indicator is assigned to an investigation and a Tier 2 analyst is investigating it.

  • Pending: The indicator has still not been assigned to an investigation.

  • Closed: The indicator was assigned to an investigation and has been resolved.

Client ID

Unique identifier of the client the computer where the indicator was detected belongs to.

Hunting rule

Name of the hunting rule that generated the indicator and description of the artifacts monitored on the client’s computer.

Occurrences

Number of times Cytomic Orion detected the same type of indicator repeatedly on the same computer. See Indicator Grouping

Investigation

Name of the investigation associated with indicators with the status In progress or Closed.

Computer

Name of the client’s computer where the indicator was detected.

Indicator date

Date the indicator was generated.

Last event

Date of the last event that led to the generation of the indicator. This date might not be the same as the Indicator date if there was a delay in generating the indicator, for example because of an interruption of the communication between the Cytomic Orion server and the client’s computer.

MUID

Unique identifier of the client’s computer where the indicator was detected.

Deleted by

Name of the deletion rule that moved the indicator to the bin.

Date deleted

Date a deletion rule was applied to the indicator and the indicator was moved to the bin.

Risk

Severity of the indicator impact: Critical, High risk, Medium risk, Low risk.

MITRE

Tactic, technique, and sub-technique associated with the hunting rule according to the MITRE specification. If there is more than one tactic and technique pair, they are separated by the character '#'. For more information, see Details Panel.

Operating systems

Operating systems searched by the hunting rule that detected the suspicious event.

Command line

See commandline.

Parent file path

See parentpath.

Child file path

See childpath

Parent file name

See parentfilename

Child file name

See childfilename

Data container

See datacontanier.

Remote IP

See remoteip

Remote port

See remoteport.

Fields in the Indicators list

The Indicators list provides this additional information:

  • Number of indicators the solution found based on the configured selection criteria: This appears at the top of the list (2).

  • Time zone: Change the time zone configured by default for the entire console. Set it using the control at the top of the list (2). This setting affects both the Indicator date column in the lists and the date format entered in the filter panel. See Settings Area.

Indicator Grouping

With the aim to not hinder analysts’ investigation activities with too long lists that show repeated indicators, Cytomic Orion groups indicators depending on where they were detected.

Indicators Detected on the Server

If hunting rules classify as a potential threat an event pattern that appears repeatedly in the telemetry that a computer sends to the server, Cytomic Orion generates these indicators:

  • A first indicator with the Occurrences field set to 1 when it detects the first pattern on the computer.

  • An indicator every hour. This indicator groups all detections made in that interval of time on the computer. The Occurrences field shows the number of detected occurrences.

Indicators Detected on a Computer

If the security software installed on a computer classifies an event pattern that appears repeatedly on the computer as a potential threat, Cytomic Orion generates these indicators:

  • A first indicator with the Occurrences field set to 1 when it detects the first pattern on the computer.

  • An indicator every six hours. This indicator groups all detections made in that interval of time. The Occurrences field shows the number of detected occurrences.

Details Panel

Click the icon in the upper-right corner to open the Details panel. Two tabs appear:

  • Details: Shows fields with information about the selected indicator. See Indicators List

  • MITRE: Shows details of the MITRE tactic and technique associated with the hunting rule that generated the indicator. If the hunting rule is associated with more than one technique, the MITRE panel groups the information in drop-down tabs, one for each technique. The information shown on the MITRE tab is gathered from the official source, at https://attack.mitre.org/matrices/enterprise/

    Field Description

    Tactic

    Name of the MITRE matrix tactic related to the hunting rule that generated the indicator. Tactics are identified by a character string in the TAXXXX format.

    Technique

    Name of the MITRE matrix technique related to the hunting rule that generated the indicator. Techniques are identified by a character string in the TXXXX format.

    Sub-technique

    Name of the MITRE matrix sub-technique related to the hunting rule that generated the indicator. Sub-techniques are identified by a character string in the TXXXX.YYY format.

    Platform

    Operating systems affected by the tactic and technique.

    Required permissions

    Permissions required by the adversary to perform the attack described in the tactic and technique.

    Description

    Tactic and technique description according to the data published by MITRE.

    Fields on the MITRE tab