Manage Entities

An entity of interest must be associated with a specific investigation. In most cases, the person responsible for making this association is the technicians when, in the course of an investigation, they find items they want to save for later consultation. Moreover, Cytomic Orion can also automatically add entities of interest during an investigation.

The Entities of interest sub-panel enables you to take action on entities, or delete them. To take action on an entity, follow these steps:

In the Entities of interest panel, expand the group to which the entity belongs.
Click the icon associated with the entity to open the entity context menu. Select an action. The actions shown vary depending on the type of entity. Some actions are related to incident remediation tasks.

Add Entities Automatically

Cytomic Orion automatically adds entities that are being analyzed to the Entities of interest panel. The situations in which an entity is automatically added to an investigation are these:

When an analyst adds an indicator to an investigation: Computer ID (MUID) and client ID.
When an analyst opens an investigation console: File hash (MD5) and/or computer ID (MUID).

Add Entities in a Guided Way

Analysts can add entities to the Entities of interest sub-panel through the option Add entity of interest. This option is available for these elements in the analysis console, when you right-click the element to open its context menu:

The indicators assigned to an investigation.
Click the icon associated with an indicator. For more information, see chapter Indicators and Hunting Rules.
The results of an SQL advanced query. For more information, see chapter Investigate the Event Flow.
The computer events shown in the investigation console. For more information, see chapter Indicator Analysis Using the Investigation Console.

Cytomic Orion determines the type of entity of interest that is added depending on the field where the analysts clicks to ahow the context menu If, for example, the analyst right-clicks the Computer field of an indicator, Cytomic Orion adds the entity with the type Computer automatically assigned to it, although the analyst can later change it by choosing a new type from the relevant drop-down menu.

To add an entity to the Entities of interest sub-panel, follow these steps:

Find the piece of data you want to add. Right-click it to open its context menu.
Select Add entity of interest. A dialog box opens where you can select the entity type.
Click OK. The entity is immediately added to the Entities of interest sub-panel and Cytomic Orion enables you to take action on it.

Add Entities in a Non-Guided Way

To add any type of entity, click the icon in the Entities of interest sub-panel. A dialog box opens where you can select the type of entity you want to add. In the Entity text box, enter the entity value. The console analyzes the data you have entered to verify that it conforms to the expected format according to the type of entity selected.

To speed up the entity configuration process, the Entity text box filters from all available entities. Enter the entity name letter by letter. A drop-down menu is shown that displays the entities that match the characters you entered.

Deleting an Entity of Interest

In the top menu, select Investigations. Select the investigation that contains the entity of interest that you want to delete. In the tab bar, select Details. All panels associated with the ongoing investigation are shown.
In the Entities of interest panel, click the context menu icon for the entity of interest that you want to delete. In the context menu, select Delete from the list of entities of interest.
Click OK. The entity is immediately deleted.

Actions Available for Entities of Interest

The entities of interest you have added to the console have a context menu associated that makes it easier to take action on them or navigate the web console.

Action	Description	Available for these types of entities
Copy to clipboard	Copies the entity information to the computer clipboard so that you can use it somewhere else in the analysis console.	All
Delete from the list of entities of interest	Deletes the entity from the list of entities of interest associated with the investigation.	All
Investigate computer	Opens a panel that shows the investigation console for the computer MUID to display the events occurred on the computer on the selected date. For more information see Indicator Analysis Using the Investigation Console.	Computer
Investigation notebook	Opens a list of all notebook templates to generate a new notebook taking the computer MUID as parameter. For more information, see Investigations with Notebooks.	Computer
Isolate computer	Isolates the computer, preventing it from communicating with the network. For more information, see Response Tools.	Computer
Stop isolating computer	Restores communications on previously isolated computer. For more information, see Manage Investigations.	Computer
Remote access to computer	Provides remote access to a computer management resources. For more information, see Response Tools.	Computer
Restart computer	Starts the computer reboot sequence. For more information, see Response Tools.	Computer
Computer details	Opens a dialog box that shows detailed information about the device. For more information about the meaning of the fields, see Computer Details.	Computer
Available actions based on the entity

Tools in the Entities of Interest Panel

The Entities of interest panel provides these tools at the top:

Add entity of interest : See Add Entities in a Non-Guided Way.
Refresh panel : Requests the list of entities of interest from the server and loads it in the sub-panel.
Search : Click the icon to show a text box where you can enter the search terms. You can type only a partial string. Searches are performed on the content of all the fields in the entity of Interest.
Maximize : Expands the sub-panel to full screen.

Computer Details

Section	Field	Description
General
	IP addresses	List of all the IP addresses (primary addresses and aliases) of the computer.
	Active directory path	Path to the computer in the company's Active Directory.
	Group	Group in the Cytomic EDR or Cytomic EPDR group tree to which the computer belongs. To change the computer group, click Change.
	Operating system	Name of the operating system installed on the computer.
Client info
	Client ID	Identifier of the client to which the computer belongs in the Cytomic Orion systems.
	Client name	Name of the client.
	Creation date	Date the client was created in the Cytomic systems.
Computer
	Name	Name of the computer on the client’s network.
	Type	Computer type: Desktop Server Laptop Mobile device (smartphone, tablet, etc.)
	Platform ID	Type of operating system installed on the computer. Windows Linux macOS Undefined
	MUID	Unique identifier of the computer in Cytomic Orion.
	IP addresses	List of all the IP addresses (primary addresses and aliases) of the computer.
	Physical addresses (MAC)	Physical address of the network cards installed on the computer.
	Domain	Windows domain the computer belongs to. This is empty if it does not belong to a domain.
	Active directory path	Path to the computer in the organizational unit hierarchy.
	Group	Group in the Cytomic EDR or Cytomic EPDR group tree to which the computer belongs. To change the computer group, click Change.
	Operating system	Name of the operating system installed on the computer.
	Virtual machine	Indicates whether the computer is physical or virtual.
	Is a non-persistent	Indicates whether the operating system of the virtual machine resides on a storage device that persists between restarts, or reverts to its original state instead.
	Licenses	Cytomic product licenses installed on the computer.
	License status	Assigned Not assigned
	Agent version	Internal version of the Cytomic agent installed on the computer.
	Agent language	Language in which Cytomic EDR or Cytomic EPDR shows the local console and pop-up messages.
	Isolation	Shows the isolation status of the computer: Isolated Isolating Stop isolating Not isolated
	Reboot requested	The computer is pending restart.
	Creation date	Date the agent was installed on the user computer and the computer was registered in the Cytomic cloud.
	Last connection	Date when the client software last connected to the Cytomic cloud. The communications agent connects to the cloud at least every four hours.
	Last boot time	Date when the computer was last booted.
Security
	Advanced protection	Indicates whether the Cytomic EDR or Cytomic EPDR advanced protection module is enabled on the user computer and the mode it is configured in (Audit, Hardening, or Lock).
	File antivirus	Indicates whether the Cytomic EDR or Cytomic EPDR file protection module is enabled on the user computer.
	Mail antivirus	Indicates whether the protection for the protocols used to send and receive email is enabled on the user computer.
	Web browsing antivirus	Indicates whether the protection against malware downloaded from web pages is enabled on the user computer.
	Firewall	Indicates whether the module for protecting against network traffic generated by applications on the user computer is enabled.
	Device control	Indicates whether the module is enabled for protecting against infections through external storage devices or devices that allow users computers to connect to the Internet bypassing the organization communications infrastructure (USB modems and others devices).
	Exchange server antivirus	Indicates whether the module for protecting against viruses received at Microsoft Exchange servers is enabled.
	Exchange server antispam	Indicates whether the module for protecting against spam received at Microsoft Exchange servers is enabled.
	Exchange server content filter	Indicates whether the protection is enabled for email messages received at Microsoft Exchange servers that could have attachments with dangerous extensions.
	Web access control	Indicates whether the module is enabled that protects against users accessing web content not permitted by the administrator.
	Patch management	Indicates whether the patch and update module for Windows operating systems and third-party applications is enabled on the user computer.
	Data control	Indicates whether the module for tracking personal data is enabled.
	Antitheft	Indicates whether the module is enabled that mitigates the exposure of data in the event of theft of an Android device.
	Encryption	Indicates whether the file encryption module is enabled on the user computer.
	Data search control status	Indicates whether the computer has a Cytomic Data Watch settings profile assigned that allows it to receive file searches and report their results.
Protection
	Protection update status	Indicates whether the protection module installed on the computer is the latest version released by Cytomic. Updated Not updated (seven days without updating since last release) Pending restart.
	Protection version	Version of the Cytomic EDR or Cytomic EPDR protection module installed on the user computer.
	Knowledge update status	Indicates whether the signature file installed on the user computer is the latest version released by Cytomic. Updated Not updated (three days without updating since last release)
	Knowledge update date	Date when the signature file was last downloaded to the user computer.
Data protection
	Personal data monitoring	Indicates whether you can see files on storage devices on the client's computer to generate a database on the computer to speed up content retrieval.
	Personal data monitoring	Indicates whether extensions for accessing Microsoft Office suite files are installed on the client's computer.
	Index status	Indicates the status of the Cytomic Data Watch indexing engine. Not indexed Indexed Indexed (text only) Indexed (all content) Indexing
Computer details fields