Displays the forensic investigation based on the tagged data and aligns it to the corresponding category.
Key assets & artifacts are automatically created based on the tagged data from the investigation timeline of the investigation and dividing them among the categories:
Data Access: Displays all the items that have been tagged in the File Access tables.
The following table for Endpoints displays the endpoints that have at least one or more items tagged:
Field | Description |
---|---|
Endpoint Name | Name of the endpoint. |
Endpoint Type | Displays the endpoint type:
|
Endpoint Status | Displays the status of the endpoint:
|
Earliest Activity | Timestamp of the earliest tagged item in the incident timeline for the endpoint. |
Latest Activity | Timestamp of the last tagged item in the incident timeline for the endpoint. |
IP Address | List of associated IP addresses. |
IPv6 Address | List of associated IPv6 addresses. |
First Seen | Timestamp of first seen. |
Last Seen | Timestamp of last seen. |
Endpoint Isolated | Displays the status of endpoint isolation:
|
Isolation Date | Isolation date of the endpoint. |
The following table for Malware shows all the items that have been tagged in the Process Execution or Persistence tables.
Field | Description |
---|---|
File Name | Name of the artifact collected from the endpoint. |
Path | Executable path. |
Tags | Assigned tags of the artifact. |
SHA256 | SHA256 value of the executable file. |
Verdicts | WildFire verdicts. |
User | User name of the person who ran the process. |
Mitre ATT&CK Tactic | Tactic selected during tagging. |
Mitre ATT&CK Technique | Technique selected during tagging. |
Platform | Operating system of the endpoint:
|
Created | Creation timestamp of the file accessed. |
Accessed | Accessed timestamp of the file accessed. |
Modified | Modified timestamp of the file accessed. |
The following table forUsers displays any artifact data with a non-null user field that has been tagged.
Field | Description |
---|---|
Username | Username of the person who ran the process. |
Domain | Domain of the user's computer. |
ID | Indicates the operating system:
|
Earliest Activity | Timestamp of earliest tagged item in Incident Timeline for the user. |
Latest Activity | Timestamp of last tagged item in Incident Timeline for the user. |
The following table for Network Indicators displays the event logs with the IP addresses that have been tagged.
Field | Description |
---|---|
Indicator | Data field that was tagged. |
Type |
|
Country | Geolocation data for IP addresses. |
Flag | Flag of geolocated country. |
Organization | Organization associated with IP address. |
The following table for Data Access displays all the items that have been tagged in the File Access tables.
Field | Description |
---|---|
Path | Path of the accessed file. |
User | User name of person who accessed the file. |
Created | Creation timestamp of the file accessed. |
Accessed | Accessed timestamp of the file accessed. |
Modified | Modified timestamp of the file accessed. |
Size | Size of the file. |