Manage Entities

An entity of interest must be associated with a specific investigation. In most cases, the person responsible for making this association is the technicians when, in the course of an investigation, they find items they want to save for later consultation. Moreover, Cytomic Orion can also automatically add entities of interest during an investigation.

The Entities of interest sub-panel enables you to take action on entities, or delete them. To take action on an entity, follow these steps:

  • In the Entities of interest panel, expand the group to which the entity belongs.

  • Click the icon associated with the entity to open the entity context menu. Select an action. The actions shown vary depending on the type of entity. Some actions are related to incident remediation tasks.

Add Entities Automatically

Cytomic Orion automatically adds entities that are being analyzed to the Entities of interest panel. The situations in which an entity is automatically added to an investigation are these:

  • When an analyst adds an indicator to an investigation: Computer ID (MUID) and client ID.

  • When an analyst opens an investigation console: File hash (MD5) and/or computer ID (MUID).

Add Entities in a Guided Way

Analysts can add entities to the Entities of interest sub-panel through the option Add entity of interest. This option is available for these elements in the analysis console, when you right-click the element to open its context menu:

Cytomic Orion determines the type of entity of interest that is added depending on the field where the analysts clicks to ahow the context menu If, for example, the analyst right-clicks the Computer field of an indicator, Cytomic Orion adds the entity with the type Computer automatically assigned to it, although the analyst can later change it by choosing a new type from the relevant drop-down menu.

To add an entity to the Entities of interest sub-panel, follow these steps:

  • Find the piece of data you want to add. Right-click it to open its context menu.

  • Select Add entity of interest. A dialog box opens where you can select the entity type.

  • Click OK. The entity is immediately added to the Entities of interest sub-panel and Cytomic Orion enables you to take action on it.

Add Entities in a Non-Guided Way

To add any type of entity, click the icon in the Entities of interest sub-panel. A dialog box opens where you can select the type of entity you want to add. In the Entity text box, enter the entity value. The console analyzes the data you have entered to verify that it conforms to the expected format according to the type of entity selected.

To speed up the entity configuration process, the Entity text box filters from all available entities. Enter the entity name letter by letter. A drop-down menu is shown that displays the entities that match the characters you entered.

Deleting an Entity of Interest

  • In the top menu, select Investigations. Select the investigation that contains the entity of interest that you want to delete. In the tab bar, select Details. All panels associated with the ongoing investigation are shown.

  • In the Entities of interest panel, click the context menu icon for the entity of interest that you want to delete. In the context menu, select Delete from the list of entities of interest.

  • Click OK. The entity is immediately deleted.

Actions Available for Entities of Interest

The entities of interest you have added to the console have a context menu associated that makes it easier to take action on them or navigate the web console.

Action Description Available for these types of entities

Copy to clipboard

Copies the entity information to the computer clipboard so that you can use it somewhere else in the analysis console.

All

Delete from the list of entities of interest

Deletes the entity from the list of entities of interest associated with the investigation.

All

Investigate computer

Opens a panel that shows the investigation console for the computer MUID to display the events occurred on the computer on the selected date. For more information see Indicator Analysis Using the Investigation Console.

Computer

Investigation notebook

Opens a list of all notebook templates to generate a new notebook taking the computer MUID as parameter. For more information, see Investigations with Notebooks.

Computer

Isolate computer

Isolates the computer, preventing it from communicating with the network. For more information, see Response Tools.

Computer

Stop isolating computer

Restores communications on previously isolated computer. For more information, see Manage Investigations.

Computer

Remote access to computer

Provides remote access to a computer management resources. For more information, see Response Tools.

Computer

Restart computer

Starts the computer reboot sequence. For more information, see Response Tools.

Computer

Computer details

Opens a dialog box that shows detailed information about the device. For more information about the meaning of the fields, see Computer Details.

Computer

Available actions based on the entity

Tools in the Entities of Interest Panel

The Entities of interest panel provides these tools at the top:

  • Add entity of interest : See Add Entities in a Non-Guided Way.

  • Refresh panel : Requests the list of entities of interest from the server and loads it in the sub-panel.

  • Search : Click the icon to show a text box where you can enter the search terms. You can type only a partial string. Searches are performed on the content of all the fields in the entity of Interest.

  • Maximize : Expands the sub-panel to full screen.

Computer Details

Section Field Description

General

 

IP addresses

List of all the IP addresses (primary addresses and aliases) of the computer.

Active directory path

Path to the computer in the company's Active Directory.

Group

Group in the Cytomic EDR or Cytomic EPDR group tree to which the computer belongs. To change the computer group, click Change.

Operating system

Name of the operating system installed on the computer.

Client info

 

Client ID

Identifier of the client to which the computer belongs in the Cytomic Orion systems.

Client name

Name of the client.

Creation date

Date the client was created in the Cytomic systems.

Computer

 

Name

Name of the computer on the client’s network.

 

Type

Computer type:

  • Desktop

  • Server

  • Laptop

  • Mobile device (smartphone, tablet, etc.)

 

Platform ID

Type of operating system installed on the computer.

  • Windows

  • Linux

  • macOS

  • Undefined

 

MUID

Unique identifier of the computer in Cytomic Orion.

 

IP addresses

List of all the IP addresses (primary addresses and aliases) of the computer.

 

Physical addresses (MAC)

Physical address of the network cards installed on the computer.

 

Domain

Windows domain the computer belongs to. This is empty if it does not belong to a domain.

 

Active directory path

Path to the computer in the organizational unit hierarchy.

 

Group

Group in the Cytomic EDR or Cytomic EPDR group tree to which the computer belongs. To change the computer group, click Change.

 

Operating system

Name of the operating system installed on the computer.

 

Virtual machine

Indicates whether the computer is physical or virtual.

 

Is a non-persistent

Indicates whether the operating system of the virtual machine resides on a storage device that persists between restarts, or reverts to its original state instead.

 

Licenses

Cytomic product licenses installed on the computer.

 

License status

  • Assigned

  • Not assigned

 

Agent version

Internal version of the Cytomic agent installed on the computer.

 

Agent language

Language in which Cytomic EDR or Cytomic EPDR shows the local console and pop-up messages.

 

Isolation

Shows the isolation status of the computer:

  • Isolated

  • Isolating

  • Stop isolating

  • Not isolated

 

Reboot requested

The computer is pending restart.

 

Creation date

Date the agent was installed on the user computer and the computer was registered in the Cytomic cloud.

 

Last connection

Date when the client software last connected to the Cytomic cloud. The communications agent connects to the cloud at least every four hours.

 

Last boot time

Date when the computer was last booted.

Security

 

Advanced protection

Indicates whether the Cytomic EDR or Cytomic EPDR advanced protection module is enabled on the user computer and the mode it is configured in (Audit, Hardening, or Lock).

File antivirus

Indicates whether the Cytomic EDR or Cytomic EPDR file protection module is enabled on the user computer.

Mail antivirus

Indicates whether the protection for the protocols used to send and receive email is enabled on the user computer.

Web browsing antivirus

Indicates whether the protection against malware downloaded from web pages is enabled on the user computer.

Firewall

Indicates whether the module for protecting against network traffic generated by applications on the user computer is enabled.

Device control

Indicates whether the module is enabled for protecting against infections through external storage devices or devices that allow users computers to connect to the Internet bypassing the organization communications infrastructure (USB modems and others devices).

Exchange server antivirus

Indicates whether the module for protecting against viruses received at Microsoft Exchange servers is enabled.

Exchange server antispam

Indicates whether the module for protecting against spam received at Microsoft Exchange servers is enabled.

Exchange server content filter

Indicates whether the protection is enabled for email messages received at Microsoft Exchange servers that could have attachments with dangerous extensions.

Web access control

Indicates whether the module is enabled that protects against users accessing web content not permitted by the administrator.

Patch management

Indicates whether the patch and update module for Windows operating systems and third-party applications is enabled on the user computer.

Data control

Indicates whether the module for tracking personal data is enabled.

Antitheft

Indicates whether the module is enabled that mitigates the exposure of data in the event of theft of an Android device.

Encryption

Indicates whether the file encryption module is enabled on the user computer.

Data search control status

Indicates whether the computer has a Cytomic Data Watch settings profile assigned that allows it to receive file searches and report their results.

Protection

 

Protection update status

Indicates whether the protection module installed on the computer is the latest version released by Cytomic.

  • Updated

  • Not updated (seven days without updating since last release)

  • Pending restart.

Protection version

Version of the Cytomic EDR or Cytomic EPDR protection module installed on the user computer.

Knowledge update status

Indicates whether the signature file installed on the user computer is the latest version released by Cytomic.

  • Updated

  • Not updated (three days without updating since last release)

Knowledge update date

Date when the signature file was last downloaded to the user computer.

Data protection

 

Personal data monitoring

Indicates whether you can see files on storage devices on the client's computer to generate a database on the computer to speed up content retrieval.

Personal data monitoring

Indicates whether extensions for accessing Microsoft Office suite files are installed on the client's computer.

Index status

Indicates the status of the Cytomic Data Watch indexing engine.

  • Not indexed

  • Indexed

  • Indexed (text only)

  • Indexed (all content)

  • Indexing

Computer details fields