Format of the Events Used in Cytomic Orion

To generate effective analysis and response processes in the face of detected incidents, SOC technicians require accurate information about the status of the IT infrastructure they investigate.

Cytomic EDR and Cytomic EPDR monitor the processes that run on clients’ computers and send the generated telemetry data to the Cytomic cloud. All this information is stored in the data lake hosted in the Cytomic cloud, where it is available to analysts through a variety of tools included in Cytomic Orion.

Telemetry data is stored in the data lake in a structured format called ‘event’, which consists of several fields. Analysts need to understand the meaning of each of these fields to correctly interpret the logged information.

An event is a record that consists of fields that describe an action taken by a process on a computer. Each type of event includes a specific number of fields.

Cytomic Orion presents the event flow in multiple ways in the analyst console:

• Table: All events of the same type are stored in a table that you can query using SQL statements. For more information, see Advanced SQL Query Module.

• List: You can see the content of the event fields directly in the investigation console, where a list can contain events of multiple types in chronological order. For more information see Indicator Analysis Using the Investigation Console.

• Graphs: The event information is used to build graphs that help analysts interpret the process execution sequence and the relationships established between the actors involved in a cyberattack.

• Searches: Event information is shown in assisted investigations to show results and create new searches that guide analysts through the investigation. See Assisted Investigations.