Machine Timeline Enhancements Improve Investigation Workflows

In July, Cybereason announced the release of the Process Timeline feature, now known as Machine Timeline, since it shows a unified timeline of events on a machine of interest around the time of a key or “lead event.” Today, Cybereason is excited to announce a series of enhancements in the Machine Timeline feature to improve investigation workflows further.

The Machine Timeline capability accelerates threat hunting and investigations by displaying endpoint telemetry enriched with our industry-leading MalOp (malicious operation) in a familiar, tabular format. This functionality is a companion to the Attack Tree visualizations that show relationships between suspicious parent and child processes. The Machine Timeline capability displays a wealth of data of interest to investigators and allows them to zero in on and fully investigate all executing processes on machines of interest within a specified timeframe.

Ability to Star Events of Interest

A timeline may consist of 100s, if not thousands, of events, even during a narrow timeframe of +/- 5 minutes from the lead event. When reviewing the timeline, analysts may come across suspicious events that warrant deeper investigation once they’ve completed their initial high-level review. 

To help analysts remember which events merit deeper investigation, Machine Timeline now allows them to mark events of interest with a star and filter by starred events. This capability streamlines the investigation workflow by facilitating a seamless transition between the high-level review phase and the deeper investigation phase. It also reduces the likelihood that an analyst will forget to come back to a key event that may contain other Indicators of Behavior (IoBs) critical to scope the compromised domain, thereby delaying detection and response. Figure 1, below, shows the analyst has starred 3 events they deemed suspicious in the minutes after the lead event (in this case, the creation of the ‘winword.exe’ process). Figure 2 shows the starred events filter has been applied to narrow the scope of focus to these suspicious events.

Ability to Filter Events by Suspicions and MalOps

Cybereason has also added three filters related to Suspicions and MalOps. These filters reduce the dataset to events that provide invaluable contextual information from our industry-leading MalOp™ detection engine.

• Has Suspicions/MalOps - This filter allows analysts to view all events associated with a MalOp. A MalOp is a collection of related suspicious activities that are highly likely to be part of a security incident. By applying this filter, analysts can see other malicious activity on a given machine.
• Has only Suspicions - This filter allows analysts to view all events that the Cybereason platform has marked as suspicious but have not crossed the threshold to trigger a MalOp. This filter is particularly useful because Suspicions represent individual activities that may be malicious and therefore warrant additional investigation.
• None - This filter allows analysts to view all events that have no Suspicions or MalOps associated with them. This feature will be especially useful to threat hunters looking to surface malicious activity that has evaded existing detection capabilities.

Process Responsible for Activity Added to Timeline

Cybereason has added an additional data point, known as Owner Process, to the timeline to provide additional context into the process responsible for the event. For example, in Figure 4, the timeline shows us an outgoing connection was made at 17:28:24 GMT+01. The analyst can quickly associate this activity with winword.exe (the lead event) by looking at the Owner Process column. Furthermore, the analyst can quickly uncover other related activity (from the same or a different process), an example being the MSRPC event, also made at 17:28:24 GMT+01, and also from the winword.exe process.

Constantly Improving Investigation Capabilities to Keep You Ahead of Attackers

These enhancements to the Machine Timeline capability exemplify Cybereason’s commitment to reverse the adversary advantage by giving Defenders the tools to help them focus their investigations and conduct more efficient, effective investigations.

Learn more about threat hunting with Cybereason or request a one-on-one demonstration.