Key assets & artifacts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Displays the forensic investigation based on the tagged data and aligns it to the corresponding category.

Key assets & artifacts are automatically created based on the tagged data from the investigation timeline of the investigation and dividing them among the categories:

  • Data Access: Displays all the items that have been tagged in the File Access tables.

The following table for Endpoints displays the endpoints that have at least one or more items tagged:

Field

Description

Endpoint Name

Name of the endpoint.

Endpoint Type

Displays the endpoint type:

  • Mobile

  • Server

  • Workstation

  • Kubernetes Node

Endpoint Status

Displays the status of the endpoint:

  • Connected

  • Connected Lost

  • Deleted

  • Disconnected

  • Uninstalled

  • VDI Pending Login

  • Forensics Offline

  • Partial Registration

Earliest Activity

Timestamp of the earliest tagged item in the incident timeline for the endpoint.

Latest Activity

Timestamp of the last tagged item in the incident timeline for the endpoint.

IP Address

List of associated IP addresses.

IPv6 Address

List of associated IPv6 addresses.

First Seen

Timestamp of first seen.

Last Seen

Timestamp of last seen.

Endpoint Isolated

Displays the status of endpoint isolation:

  • Pending Isolation Cancellation

  • Pending Isolation

  • Isolated

  • Not Isolated

Isolation Date

Isolation date of the endpoint.

The following table for Malware shows all the items that have been tagged in the Process Execution or Persistence tables.

Field

Description

File Name

Name of the artifact collected from the endpoint.

Path

Executable path.

Tags

Assigned tags of the artifact.

SHA256

SHA256 value of the executable file.

Verdicts

WildFire verdicts.

User

User name of the person who ran the process.

Mitre ATT&CK Tactic

Tactic selected during tagging.

Mitre ATT&CK Technique

Technique selected during tagging.

Platform

Operating system of the endpoint:

  • Windows

  • macOS

  • Linux

  • Android

Created

Creation timestamp of the file accessed.

Accessed

Accessed timestamp of the file accessed.

Modified

Modified timestamp of the file accessed.

The following table forUsers displays any artifact data with a non-null user field that has been tagged.

Field

Description

Username

Username of the person who ran the process.

Domain

Domain of the user's computer.

ID

Indicates the operating system:

  • UID for macOS and Linux

  • SID for Windows

Earliest Activity

Timestamp of earliest tagged item in Incident Timeline for the user.

Latest Activity

Timestamp of last tagged item in Incident Timeline for the user.

The following table for Network Indicators displays the event logs with the IP addresses that have been tagged.

Field

Description

Indicator

Data field that was tagged.

Type

  • IP Address

  • Hostname

  • URL

Country

Geolocation data for IP addresses.

Flag

Flag of geolocated country.

Organization

Organization associated with IP address.

The following table for Data Access displays all the items that have been tagged in the File Access tables.

Field

Description

Path

Path of the accessed file.

User

User name of person who accessed the file.

Created

Creation timestamp of the file accessed.

Accessed

Accessed timestamp of the file accessed.

Modified

Modified timestamp of the file accessed.

Size

Size of the file.