Manage Entities
An entity of interest must be associated with a specific investigation. In most cases, the person responsible for making this association is the technicians when, in the course of an investigation, they find items they want to save for later consultation. Moreover, Cytomic Orion can also automatically add entities of interest during an investigation.
The Entities of interest sub-panel enables you to take action on entities, or delete them. To take action on an entity, follow these steps:
-
In the Entities of interest panel, expand the group to which the entity belongs.
-
Click the
icon associated with the entity to open the entity context menu. Select an action. The actions shown vary depending on the type of entity. Some actions are related to incident remediation tasks.
Add Entities Automatically
Cytomic Orion automatically adds entities that are being analyzed to the Entities of interest panel. The situations in which an entity is automatically added to an investigation are these:
-
When an analyst adds an indicator to an investigation: Computer ID (MUID) and client ID.
-
When an analyst opens an investigation console: File hash (MD5) and/or computer ID (MUID).
Add Entities in a Guided Way
Analysts can add entities to the Entities of interest sub-panel through the option Add entity of interest. This option is available for these elements in the analysis console, when you right-click the element to open its context menu:
-
The indicators assigned to an investigation.
-
Click the
icon associated with an indicator. For more information, see chapter Indicators and Hunting Rules.
-
The results of an SQL advanced query. For more information, see chapter Investigate the Event Flow.
-
The computer events shown in the investigation console. For more information, see chapter Indicator Analysis Using the Investigation Console.
Cytomic Orion determines the type of entity of interest that is added depending on the field where the analysts clicks to ahow the context menu If, for example, the analyst right-clicks the Computer field of an indicator, Cytomic Orion adds the entity with the type Computer automatically assigned to it, although the analyst can later change it by choosing a new type from the relevant drop-down menu.
To add an entity to the Entities of interest sub-panel, follow these steps:
-
Find the piece of data you want to add. Right-click it to open its context menu.
-
Select
Add entity of interest. A dialog box opens where you can select the entity type.
-
Click OK. The entity is immediately added to the Entities of interest sub-panel and Cytomic Orion enables you to take action on it.
Add Entities in a Non-Guided Way
To add any type of entity, click the icon in the Entities of interest sub-panel. A dialog box opens where you can select the type of entity you want to add. In the Entity text box, enter the entity value. The console analyzes the data you have entered to verify that it conforms to the expected format according to the type of entity selected.
To speed up the entity configuration process, the Entity text box filters from all available entities. Enter the entity name letter by letter. A drop-down menu is shown that displays the entities that match the characters you entered.
Deleting an Entity of Interest
-
In the top menu, select Investigations. Select the investigation that contains the entity of interest that you want to delete. In the tab bar, select Details. All panels associated with the ongoing investigation are shown.
-
In the Entities of interest panel, click the context menu icon for the entity of interest that you want to delete. In the context menu, select
Delete from the list of entities of interest.
-
Click OK. The entity is immediately deleted.
Actions Available for Entities of Interest
The entities of interest you have added to the console have a context menu associated that makes it easier to take action on them or navigate the web console.
Action | Description | Available for these types of entities |
---|---|---|
Copy to clipboard |
Copies the entity information to the computer clipboard so that you can use it somewhere else in the analysis console. |
All |
Delete from the list of entities of interest |
Deletes the entity from the list of entities of interest associated with the investigation. |
All |
Investigate computer |
Opens a panel that shows the investigation console for the computer MUID to display the events occurred on the computer on the selected date. For more information see Indicator Analysis Using the Investigation Console. |
Computer |
Investigation notebook |
Opens a list of all notebook templates to generate a new notebook taking the computer MUID as parameter. For more information, see Investigations with Notebooks. |
Computer |
Isolate computer |
Isolates the computer, preventing it from communicating with the network. For more information, see Response Tools. |
Computer |
Stop isolating computer |
Restores communications on previously isolated computer. For more information, see Manage Investigations. |
Computer |
Remote access to computer |
Provides remote access to a computer management resources. For more information, see Response Tools. |
Computer |
Restart computer |
Starts the computer reboot sequence. For more information, see Response Tools. |
Computer |
Computer details |
Opens a dialog box that shows detailed information about the device. For more information about the meaning of the fields, see Computer Details. |
Computer |
Tools in the Entities of Interest Panel
The Entities of interest panel provides these tools at the top:
-
Add entity of interest
: See Add Entities in a Non-Guided Way.
-
Refresh panel
: Requests the list of entities of interest from the server and loads it in the sub-panel.
-
Search
: Click the icon to show a text box where you can enter the search terms. You can type only a partial string. Searches are performed on the content of all the fields in the entity of Interest.
-
Maximize
: Expands the sub-panel to full screen.
Computer Details
Section | Field | Description |
---|---|---|
General |
||
|
IP addresses |
List of all the IP addresses (primary addresses and aliases) of the computer. |
Active directory path |
Path to the computer in the company's Active Directory. |
|
Group |
Group in the Cytomic EDR or Cytomic EPDR group tree to which the computer belongs. To change the computer group, click Change. |
|
Operating system |
Name of the operating system installed on the computer. |
|
Client info |
||
|
Client ID |
Identifier of the client to which the computer belongs in the Cytomic Orion systems. |
Client name |
Name of the client. |
|
Creation date |
Date the client was created in the Cytomic systems. |
|
Computer |
||
|
Name |
Name of the computer on the client’s network. |
|
Type |
Computer type:
|
|
Platform ID |
Type of operating system installed on the computer.
|
|
MUID |
Unique identifier of the computer in Cytomic Orion. |
|
IP addresses |
List of all the IP addresses (primary addresses and aliases) of the computer. |
|
Physical addresses (MAC) |
Physical address of the network cards installed on the computer. |
|
Domain |
Windows domain the computer belongs to. This is empty if it does not belong to a domain. |
|
Active directory path |
Path to the computer in the organizational unit hierarchy. |
|
Group |
Group in the Cytomic EDR or Cytomic EPDR group tree to which the computer belongs. To change the computer group, click Change. |
|
Operating system |
Name of the operating system installed on the computer. |
|
Virtual machine |
Indicates whether the computer is physical or virtual. |
|
Is a non-persistent |
Indicates whether the operating system of the virtual machine resides on a storage device that persists between restarts, or reverts to its original state instead. |
|
Licenses |
Cytomic product licenses installed on the computer. |
|
License status |
|
|
Agent version |
Internal version of the Cytomic agent installed on the computer. |
|
Agent language |
Language in which Cytomic EDR or Cytomic EPDR shows the local console and pop-up messages. |
|
Isolation |
Shows the isolation status of the computer:
|
|
Reboot requested |
The computer is pending restart. |
|
Creation date |
Date the agent was installed on the user computer and the computer was registered in the Cytomic cloud. |
|
Last connection |
Date when the client software last connected to the Cytomic cloud. The communications agent connects to the cloud at least every four hours. |
|
Last boot time |
Date when the computer was last booted. |
Security |
||
Advanced protection |
Indicates whether the Cytomic EDR or Cytomic EPDR advanced protection module is enabled on the user computer and the mode it is configured in (Audit, Hardening, or Lock). |
|
File antivirus |
Indicates whether the Cytomic EDR or Cytomic EPDR file protection module is enabled on the user computer. |
|
Mail antivirus |
Indicates whether the protection for the protocols used to send and receive email is enabled on the user computer. |
|
Web browsing antivirus |
Indicates whether the protection against malware downloaded from web pages is enabled on the user computer. |
|
Firewall |
Indicates whether the module for protecting against network traffic generated by applications on the user computer is enabled. |
|
Device control |
Indicates whether the module is enabled for protecting against infections through external storage devices or devices that allow users computers to connect to the Internet bypassing the organization communications infrastructure (USB modems and others devices). |
|
Exchange server antivirus |
Indicates whether the module for protecting against viruses received at Microsoft Exchange servers is enabled. |
|
Exchange server antispam |
Indicates whether the module for protecting against spam received at Microsoft Exchange servers is enabled. |
|
Exchange server content filter |
Indicates whether the protection is enabled for email messages received at Microsoft Exchange servers that could have attachments with dangerous extensions. |
|
Web access control |
Indicates whether the module is enabled that protects against users accessing web content not permitted by the administrator. |
|
Patch management |
Indicates whether the patch and update module for Windows operating systems and third-party applications is enabled on the user computer. |
|
Data control |
Indicates whether the module for tracking personal data is enabled. |
|
Antitheft |
Indicates whether the module is enabled that mitigates the exposure of data in the event of theft of an Android device. |
|
Encryption |
Indicates whether the file encryption module is enabled on the user computer. |
|
Data search control status |
Indicates whether the computer has a Cytomic Data Watch settings profile assigned that allows it to receive file searches and report their results. |
|
Protection |
||
Protection update status |
Indicates whether the protection module installed on the computer is the latest version released by Cytomic.
|
|
Protection version |
Version of the Cytomic EDR or Cytomic EPDR protection module installed on the user computer. |
|
Knowledge update status |
Indicates whether the signature file installed on the user computer is the latest version released by Cytomic.
|
|
Knowledge update date |
Date when the signature file was last downloaded to the user computer. |
|
Data protection |
||
Personal data monitoring |
Indicates whether you can see files on storage devices on the client's computer to generate a database on the computer to speed up content retrieval. |
|
Personal data monitoring |
Indicates whether extensions for accessing Microsoft Office suite files are installed on the client's computer. |
|
Index status |
Indicates the status of the Cytomic Data Watch indexing engine.
|
|