Machine Timeline Enhancements Improve Investigation Workflows

In July, Cybereason announced the release of the Process Timeline feature, now known as Machine Timeline, since it shows a unified timeline of events on a machine of interest around the time of a key or “lead event.” Today, Cybereason is excited to announce a series of enhancements in the Machine Timeline feature to improve investigation workflows further.

The Machine Timeline capability accelerates threat hunting and investigations by displaying endpoint telemetry enriched with our industry-leading MalOp (malicious operation) in a familiar, tabular format. This functionality is a companion to the Attack Tree visualizations that show relationships between suspicious parent and child processes. The Machine Timeline capability displays a wealth of data of interest to investigators and allows them to zero in on and fully investigate all executing processes on machines of interest within a specified timeframe.

Ability to Star Events of Interest

A timeline may consist of 100s, if not thousands, of events, even during a narrow timeframe of +/- 5 minutes from the lead event. When reviewing the timeline, analysts may come across suspicious events that warrant deeper investigation once they’ve completed their initial high-level review. 

To help analysts remember which events merit deeper investigation, Machine Timeline now allows them to mark events of interest with a star and filter by starred events. This capability streamlines the investigation workflow by facilitating a seamless transition between the high-level review phase and the deeper investigation phase. It also reduces the likelihood that an analyst will forget to come back to a key event that may contain other Indicators of Behavior (IoBs) critical to scope the compromised domain, thereby delaying detection and response. Figure 1, below, shows the analyst has starred 3 events they deemed suspicious in the minutes after the lead event (in this case, the creation of the ‘winword.exe’ process). Figure 2 shows the starred events filter has been applied to narrow the scope of focus to these suspicious events.

Machine Timeline Star events of interestFigure 1 - Ability to star events of interest

Machine Timeline filter starred eventsFigure 2 - Ability to filter by starred events

Ability to Filter Events by Suspicions and MalOps

Cybereason has also added three filters related to Suspicions and MalOps. These filters reduce the dataset to events that provide invaluable contextual information from our industry-leading MalOp™ detection engine.

  • Has Suspicions/MalOps - This filter allows analysts to view all events associated with a MalOp. A MalOp is a collection of related suspicious activities that are highly likely to be part of a security incident. By applying this filter, analysts can see other malicious activity on a given machine.
  • Has only Suspicions - This filter allows analysts to view all events that the Cybereason platform has marked as suspicious but have not crossed the threshold to trigger a MalOp. This filter is particularly useful because Suspicions represent individual activities that may be malicious and therefore warrant additional investigation.
  • None - This filter allows analysts to view all events that have no Suspicions or MalOps associated with them. This feature will be especially useful to threat hunters looking to surface malicious activity that has evaded existing detection capabilities.

Figure 3 shows the analyst has applied a filter to only show events associated with a MalOp. As a result, the filter has reduced the dataset to just 21 events, helping the analyst focus on the ones that matter most.

Cybereason Machine Timeline MalOp filter

Figure 3 - Has Suspicions/MalOps filter applied

Process Responsible for Activity Added to Timeline

Cybereason has added an additional data point, known as Owner Process, to the timeline to provide additional context into the process responsible for the event. For example, in Figure 4, the timeline shows us an outgoing connection was made at 17:28:24 GMT+01. The analyst can quickly associate this activity with winword.exe (the lead event) by looking at the Owner Process column. Furthermore, the analyst can quickly uncover other related activity (from the same or a different process), an example being the MSRPC event, also made at 17:28:24 GMT+01, and also from the winword.exe process.

Cybereason Machine Timeline contextual information owner process

Figure 4 - Additional contextual information in the timeline - Owner Process

Constantly Improving Investigation Capabilities to Keep You Ahead of Attackers

These enhancements to the Machine Timeline capability exemplify Cybereason’s commitment to reverse the adversary advantage by giving Defenders the tools to help them focus their investigations and conduct more efficient, effective investigations.

Learn more about threat hunting with Cybereason or request a one-on-one demonstration.

Paul Bottomley
About the Author

Paul Bottomley

Paul is the Senior Product Manager for Threat Hunting and joined Cybereason in September 2021. Paul has over 10 years experience developing Threat Hunting products and services to global customers, which involved helping them surface attacker activity and cyber risk in their IT networks.

All Posts by Paul Bottomley