Machine Timeline Enhancements Improve Investigation Workflows
Cybereason has released a series of enhancements in the Machine Timeline feature (formerly known as Process Timeline) to improve investigation workflows.
Cybereason is excited to announce the new Process Timeline view, which provides threat hunters with a unified timeline of events in a powerful tabular view and full visibility of activity that happened on the endpoint around the time of a key or “lead event.” The Process Timeline can be accessed from the Investigation screen and the element details page.
Process Timeline core features include:
Here are some screenshots to demonstrate the capability. You’ll notice in figures 2 and 5, there are some very interesting events to be discovered both before and after the process creation event, examples including:
Figure 1: Pivot into the Process Timeline from the Investigation screen or the element details page.
Figure 2: Process Timeline view showing events 5 minutes around the lead event.
Figure 3: Ability to change +- timeframe in increments of 5 minutes.
Figure 4: Ability to pivot into event details.
Figure 5: Ability to filter the dataset.
The Cybereason Defense Platform enables Threat Hunting and Incident Response (IR) with the collection and storage of raw telemetry and enriched contextual data.
A Threat Hunter (“hunter”) may start their investigation by developing a hypothesis – this could be based on the threat intelligence assessment of a threat actor (the who, what, where, when, why), leveraging insights from adversary models such as the MITRE ATT&CK® framework, or using their own intuition and skill.
Regardless of the approach, the hunter will initiate the hunt in the form of a query which may generate a lead for deeper investigation. Similarly, in an incident response scenario, the intelligence gathered on the threat actor responsible for the incident will be used to craft queries to scope the compromised domain.
Let's assume the hunter—through their queries—uncovers a lead in the form of a process creation event (“the lead event”) that warrants further inspection. At this stage, the hunter is likely to drill into the process to gain a better understanding of its properties and features (such as the command line, path, hash, signed and verified status, etc.), which will help inform their decision of whether the activity should be investigated further or disregarded.
In the instance the hunter continues their investigation, two important questions to be answered are:
The dataset to answer these questions shouldn’t be restricted to process events, nor should it be restricted to events solely connected to the process tree of the lead process. For a hunter to be able to answer these two questions effectively, event data spanning multiple entities (process, file, registry, connection, etc.) should be presented in a single, consolidated view.
Why is this dataset important? Simply put, it provides full context. This dataset allows the hunter to provide an accurate account of events leading up to and following the lead event. It is not uncommon that by having access to this dataset, other Indicators of Behavior (IOBs) from seemingly unconnected events are discovered, which can then be used as pivot points to hunt for other potentially compromised machines.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Customers interested in a personalized walkthrough of the Process Timeline should contact their Customer Success Manager. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Paul is the Senior Product Manager for Threat Hunting and joined Cybereason in September 2021. Paul has over 10 years experience developing Threat Hunting products and services to global customers, which involved helping them surface attacker activity and cyber risk in their IT networks.
All Posts by Paul Bottomley
Cybereason has released a series of enhancements in the Machine Timeline feature (formerly known as Process Timeline) to improve investigation workflows.
While other vendors are scrambling to cherry-pick the results and spin up some clever interpretations of the MITRE ATT&CK results, Cybereason is proud to let the evaluation results speak for themselves: Cybereason demonstrated 100% Prevention, 100% Visibility, and 100% Real-Time Protection...