Accelerate Investigations with the New Cybereason Process Timeline Feature

Cybereason is excited to announce the new Process Timeline view, which provides threat hunters with a unified timeline of events in a powerful tabular view and full visibility of activity that happened on the endpoint around the time of a key or “lead event.” The Process Timeline can be accessed from the Investigation screen and the element details page. 

Process Timeline core features include:

  • Events enriched with Suspicion and MalOpTM data
  • Configurable +- timeframe: 5, 10, 15, 20, 25, 30 minutes around the lead event
  • Event search
  • Element and Operation filtering
  • Pivoting into event details
  • Ability to export results to csv
  • Ability to ‘jump’ to the lead event from any page in the timeline

Here are some screenshots to demonstrate the capability. You’ll notice in figures 2 and 5, there are some very interesting events to be discovered both before and after the process creation event, examples including:

  • A 7-zip archive being extracted
  • An ‘rtf’ file being created on disk
  • An exploit detection event
  • Outgoing connections
  • mshta activity with ‘suspicions’ associated with them

Blog Process TimelineFigure 1: Pivot into the Process Timeline from the Investigation screen or the element details page.

Figure 2 Process Timeline view showing events 5 minutes around the lead eventFigure 2: Process Timeline view showing events 5 minutes around the lead event.

Figure 3 Ability to change +- timeframe in increments of 5 minutesFigure 3: Ability to change +- timeframe in increments of 5 minutes.

Figure 4 Ability to pivot into event detailsFigure 4: Ability to pivot into event details.

Figure 5Ability to filter the datasetFigure 5: Ability to filter the dataset.

The Cybereason Defense Platform enables Threat Hunting and Incident Response (IR) with the collection and storage of raw telemetry and enriched contextual data.

A Threat Hunter (“hunter”) may start their investigation by developing a hypothesis – this could be based on the threat intelligence assessment of a threat actor (the who, what, where, when, why), leveraging insights from adversary models such as the MITRE ATT&CK® framework, or using their own intuition and skill.

Regardless of the approach, the hunter will initiate the hunt in the form of a query which may generate a lead for deeper investigation. Similarly, in an incident response scenario, the intelligence gathered on the threat actor responsible for the incident will be used to craft queries to scope the compromised domain.

Let's assume the hunter—through their queries—uncovers a lead in the form of a process creation event (“the lead event”) that warrants further inspection. At this stage, the hunter is likely to drill into the process to gain a better understanding of its properties and features (such as the command line, path, hash, signed and verified status, etc.), which will help inform their decision of whether the activity should be investigated further or disregarded.

In the instance the hunter continues their investigation, two important questions to be answered are:

  • What activity led up to the lead event (the minus ‘-’ timeframe); and,
  • What activity followed the lead event (the positive ‘+’ timeframe).

The dataset to answer these questions shouldn’t be restricted to process events, nor should it be restricted to events solely connected to the process tree of the lead process. For a hunter to be able to answer these two questions effectively, event data spanning multiple entities (process, file, registry, connection, etc.) should be presented in a single, consolidated view.

Why is this dataset important? Simply put, it provides full context. This dataset allows the hunter to provide an accurate account of events leading up to and following the lead event. It is not uncommon that by having access to this dataset, other Indicators of Behavior (IOBs) from seemingly unconnected events are discovered, which can then be used as pivot points to hunt for other potentially compromised machines.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Customers interested in a personalized walkthrough of the Process Timeline should contact their Customer Success Manager. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Paul Bottomley
About the Author

Paul Bottomley

Paul is the Senior Product Manager for Threat Hunting and joined Cybereason in September 2021. Paul has over 10 years experience developing Threat Hunting products and services to global customers, which involved helping them surface attacker activity and cyber risk in their IT networks.

All Posts by Paul Bottomley