Investigation timeline shows the tagged forensic artifacts that were tagged. The tags display details of the forensic data collected from the endpoints.
The Timeline page enables you to view the list of forensic artifacts that were tagged. The tags display details of the forensic data collected from the endpoints.
The Timeline table displays the following fields:
Field | Description |
---|---|
Hostname | Name of the host machine. |
Timestamp | Timestamp associated with the artifact. |
Type | Forensic artifact of which a tag was added. |
Description | Name of the timestamp field. |
Tags | There are three default tags to choose from.
You can also create your own tags. |
User | User account associated with the forensic artifact. |
Data | Data summary for the tagged item. |
Mitre Att&ck Tactic | Displays the type of MITRE ATT&CK tactic of the tagged item. |
Mitre Att&ck Technique | Displays the type of MITRE ATT&CK technique of the tagged item. |
Notes | Displays notes entered by the user. |
Edit a timeline entry:
You can edit a tag of an artifact in the Timeline table.
Locate the relevant item to update the tag.
Right-click and select Edit timeline entry.
In Edit timeline entry, update the information as required and then click Save to update the changes.
Clear a timeline entry:
You can remove a tag from the artifact in the Timeline table.
Locate the relevant item to remove the tag.
Right-click and select Clear timeline entry. The tag is removed from the artifact and the row is removed from the Timeline table.