Investigation timeline - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

Investigation timeline shows the forensic artifacts that were tagged. The tags show details of the forensic data collected from the endpoints.

The Timeline page enables you to view the list of forensic artifacts that were tagged. The tags show details of the forensic data collected from the endpoints.

The Timeline table displays the following fields:

Field

Description

Hostname

Name of the host machine.

Timestamp

Timestamp associated with the artifact.

Type

Forensic artifact of which a tag was added.

Description

Name of the timestamp field.

Tags

There are three default tags to choose from.

  • legitimate

  • malicious

  • suspicious

You can also create your own tag.

User

User account associated with the forensic artifact.

Data

Data summary for the tagged item.

Mitre Att&ck Tactic

Displays the type of MITRE ATT&CK tactic of the tagged item.

Mitre Att&ck Technique

Displays the type of MITRE ATT&CK technique of the tagged item.

Notes

Displays notes entered by the user.

  1. Edit a timeline entry:

    You can edit a tag of an artifact in the Timeline table.

    1. Locate the relevant item to update the tag.

    2. Right-click and select Edit timeline entry.

    3. In Edit timeline entry, update the information as required and then click Save to update the changes.

  2. Clear a timeline entry:

    You can remove a tag from the artifact in the Timeline table.

    1. Locate the relevant item to remove the tag.

    2. Right-click and select Clear timeline entry. The tag is removed from the artifact and the row is removed from the Timeline table.