Key assets & artifacts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

Shows the forensic investigation based on the tagged data and aligns it to the corresponding category.

Key assets & artifacts are automatically created based on the tagged data from the investigation timeline of the investigation and dividing them among the categories:

  • Data Access: Shows all the items that have been tagged in the File Access tables.

The following table for Endpoints shows the endpoints that have at least one or more items tagged:

Field

Description

Endpoint Name

The name of the endpoint.

Endpoint Type

Shows the endpoint type:

  • Mobile

  • Server

  • Workstation

  • Kubernetes Node

Endpoint Status

Shows the status of the endpoint:

  • Connected

  • Connected Lost

  • Deleted

  • Disconnected

  • Uninstalled

  • VDI Pending Login

  • Forensics Offline

  • Partial Registration

Earliest Activity

The timestamp of the earliest tagged item in the incident timeline for the endpoint.

Latest Activity

The timestamp of the last tagged item in the incident timeline for the endpoint.

IP Address

List of associated IP addresses.

IPv6 Address

List of associated IPv6 addresses.

First Seen

Timestamp of first seen.

Last Seen

Timestamp of last seen.

Endpoint Isolated

Shows the status of endpoint isolation:

  • Pending Isolation Cancellation

  • Pending Isolation

  • Isolated

  • Not Isolated

Isolation Date

The isolation date of the endpoint.

The following table for Malware shows all the items that have been tagged in the Process Execution or Persistence tables.

Field

Description

File Name

The name of the artifact collected from the endpoint.

Path

The executable path.

Tags

Assigned tags of the artifact.

SHA256

The SHA256 value of the executable file.

Verdicts

WildFire verdicts.

User

User name of the person who ran the process.

Endpoint Name

The name of endpoint.

Endpoint ID

The unique ID of the endpoint.

Mitre ATT&CK Tactic

The tactic selected during tagging.

Mitre ATT&CK Technique

The technique selected during tagging.

Platform

The operating system of the endpoint:

  • Windows

  • macOS

  • Linux

  • Android

Created

The creation timestamp of the file accessed.

Accessed

The accessed timestamp of the file accessed.

Modified

The modified timestamp of the file accessed.

The following table forUsers shows any artifact data with a non-null user field that has been tagged.

Field

Description

Username

The username of the person who ran the process.

Domain

The domain of the user's computer.

ID

Indicates the operating system:

  • UID for macOS and Linux

  • SID for Windows

Earliest Activity

Timestamp of earliest tagged item in Incident Timeline for the user.

Latest Activity

Timestamp of last tagged item in Incident Timeline for the user.

The following table for Network Indicators shows the event logs with the IP addresses that have been tagged.

Field

Description

Indicator

The data field that was tagged.

Type

  • IP Address

  • Hostname

  • URL

Endpoint Name

The name of the endpoint.

Endpoint ID

A unique ID of the endpoint.

Country

Geolocation data for IP addresses.

Flag

Flag of geolocated country.

Organization

Organization associated with IP address.

The table shows for Data Access all the items that have been tagged in the File Access tables.

Field

Description

Path

Path of the accessed file.

User

User name of person who accessed the file.

Endpoint Names

The name of the endpoint.

Endpoint ID

The unique ID of the endpoint.

Created

The creation timestamp of the file accessed.

Accessed

The accessed timestamp of the file accessed.

Modified

The modified timestamp of the file accessed.

Size

The size of the file.