Activity Log Associated with an Investigation
Every action taken by SOC technicians in the context of an investigation is logged along with additional information that helps to determine its type and source. This information enables you to identify the security impact the actions performed by analysts on clients’ computers and infrastructure can have.
Access the Activity Log Associated with an Investigation
In the top menu, select Investigations. Select an investigation from the list. Click the 
-
Search tool (1): Searches the contents of all columns in the list to filter information. You can type only a partial string.
-
Grouping tool (2): Groups items in the list by the column you choose. For more information about the grouping tool, see Filter Tools.
-
Export (4): Exports the contents of the list to a CSV file.
-
Side panel (5): Shows extended information about the items you select in the list.
-
Central panel (3): Shows a list of actions that match the search criteria you entered. The following table describes the columns included in the list:
| Field | Description |
|---|---|
|
Date |
Date of the logged action. |
|
Action |
Logged action along with the user account that took it and additional information. For more information, see Activity Log Associated with an Investigation. |
|
User |
Name of the account that took the action. This column is not shown by default. |
|
Action type |
Type of logged action. This column is not shown by default. |
Actions Logged in Cytomic Orion
| Action | Description |
|---|---|
|
Create an investigation |
The console user assigned one or more indicators to a new investigation. |
|
Rename an investigation |
The console user changed the name of an investigation. |
|
Change an investigation classification |
The console user changed the classification of an investigation. |
|
Change an investigation priority |
The console user changed the priority of an investigation. |
|
Add or delete clients from an investigation |
The console user changed the client-type entities of interest assigned to an investigation. |
|
Close an investigation |
The console user closed an investigation. |
|
Reopen an investigation |
The console user reassigned the status In progress or Pending to an indicator assigned to an investigation. |
|
Add indicators to an investigation |
The console user assigned an indicator to an existing investigation. |
|
Remove indicators from an investigation |
The console user unassigned an indicator from an investigation. |
|
Assign an investigation to a user |
The console user changed the user assigned to an investigation. |
|
Unassign an investigation |
The console user removed the user assigned to an investigation. |
|
Run a query |
The console user ran an SQL query. |
|
Cancel a query |
The console user stopped the execution of an SQL query. |
|
Query result |
An SQL query finished executing. |
|
Query statistics |
Shows data about the executed SQL query (full SQL statement, number of bytes read, etc.). You can use this field to determine the Cytomic Orion data usage. |
|
Query error |
Execution of an SQL query completed with errors. |
|
Investigate computer |
The console user opened an investigation from the MUID of a client’s computer. |
|
Investigate file |
The console user opened an investigation from the MD5 of a file. |
|
Investigate computer |
The console user opened an investigation from the name of a client’s computer. |
|
Create a notebook |
The console user started an analysis by creating a notebook. |
|
Update a notebook |
The console user worked on an analysis by editing a notebook. |
|
View a notebook |
The console user opened a notebook to view it. |
|
Rename a notebook |
The console user changed the name of a notebook. |
|
Delete a notebook |
The console user deleted a notebook. |
|
Convert notebook to PDF |
The console user generated a PDF report from a notebook results. |
|
Run a notebook |
The console user obtained the results of an investigation by running a notebook. |
|
Start remote access to a computer |
Cytomic Orion retrieved, from the platform, the credentials required for the analyst who requested remote access to the investigated computer to be able to access it and use the remediation tools. To view the commands run by the analyst, see Remote Operation Log. |
|
Attempt to start remote access to a computer |
Cytomic Orion tried to retrieve, from the platform, the credentials required to remotely access the investigated computer, but the process failed. |
|
Request to restart computers |
The console user started the process to remotely restart a computer. |
|
Request to isolate computers |
The console user started the process to isolate a computer. |
|
Request to stop isolating computers |
The console user started the process to deisolate a computer. |
|
Add entities of interest |
The console user added an entity of interest to an investigation. |
|
Delete entities of interest |
The console user removed an entity of interest from an investigation. |
Remote Operation Log
Commands run by analysts when they access a computer remotely are logged separately and in a more detailed way.
Access the Remote Operation Log
-
In the top menu, select Investigations. Select an investigation from the list. Click the
-
In the central panel (3), select a Start remote access to a computer-type item. A side panel opens that shows details of the selected item (5).
-
In the side panel (5), find the sessionId attribute. Click its content. The Remote session details page opens.
| Field | Description |
|---|---|
|
Session ID |
Session ID assigned by Cytomic Orion. |
|
Date |
Date the remote access started. |
|
IP address |
IP address of the accessed computer. |
|
Category |
|
|
Action |
Action taken on the remote computer and logged by Cytomic Orion. |