Shows the forensic investigation based on the tagged data and aligns it to the corresponding category.
Key assets & artifacts are automatically created based on the tagged data from the investigation timeline of the investigation and dividing them among the categories:
Data Access: Shows all the items that have been tagged in the File Access tables.
The following table for Endpoints shows the endpoints that have at least one or more items tagged:
Field | Description |
|---|---|
Endpoint Name | The name of the endpoint. |
Endpoint Type | Shows the endpoint type:
|
Endpoint Status | Shows the status of the endpoint:
|
Earliest Activity | The timestamp of the earliest tagged item in the incident timeline for the endpoint. |
Latest Activity | The timestamp of the last tagged item in the incident timeline for the endpoint. |
IP Address | List of associated IP addresses. |
IPv6 Address | List of associated IPv6 addresses. |
First Seen | Timestamp of first seen. |
Last Seen | Timestamp of last seen. |
Endpoint Isolated | Shows the status of endpoint isolation:
|
Isolation Date | The isolation date of the endpoint. |
The following table for Malware shows all the items that have been tagged in the Process Execution or Persistence tables.
Field | Description |
|---|---|
File Name | The name of the artifact collected from the endpoint. |
Path | The executable path. |
Tags | Assigned tags of the artifact. |
SHA256 | The SHA256 value of the executable file. |
Verdicts | WildFire verdicts. |
User | User name of the person who ran the process. |
Endpoint Name | The name of endpoint. |
Endpoint ID | The unique ID of the endpoint. |
Mitre ATT&CK Tactic | The tactic selected during tagging. |
Mitre ATT&CK Technique | The technique selected during tagging. |
Platform | The operating system of the endpoint:
|
Created | The creation timestamp of the file accessed. |
Accessed | The accessed timestamp of the file accessed. |
Modified | The modified timestamp of the file accessed. |
The following table forUsers shows any artifact data with a non-null user field that has been tagged.
Field | Description |
|---|---|
Username | The username of the person who ran the process. |
Domain | The domain of the user's computer. |
ID | Indicates the operating system:
|
Earliest Activity | Timestamp of earliest tagged item in Incident Timeline for the user. |
Latest Activity | Timestamp of last tagged item in Incident Timeline for the user. |
The following table for Network Indicators shows the event logs with the IP addresses that have been tagged.
Field | Description |
|---|---|
Indicator | The data field that was tagged. |
Type |
|
Endpoint Name | The name of the endpoint. |
Endpoint ID | A unique ID of the endpoint. |
Country | Geolocation data for IP addresses. |
Flag | Flag of geolocated country. |
Organization | Organization associated with IP address. |
The table shows for Data Access all the items that have been tagged in the File Access tables.
Field | Description |
|---|---|
Path | Path of the accessed file. |
User | User name of person who accessed the file. |
Endpoint Names | The name of the endpoint. |
Endpoint ID | The unique ID of the endpoint. |
Created | The creation timestamp of the file accessed. |
Accessed | The accessed timestamp of the file accessed. |
Modified | The modified timestamp of the file accessed. |
Size | The size of the file. |