Machine Timeline
Note
The Machine Timeline feature requires an upgrade of the Data Platform infrastructure. To understand when this feature will be available to you, please contact your Customer Success representative.
The Machine Timeline screen provides additional context for a process by displaying details about sensor activity before and after the selected event, within a certain time frame.
In analyzing the Machine Timeline screen, analysts can:
Quickly view detailed machine activity within a specified time frame.
Uncover new indicators of compromise.
Determine whether a machine requires deeper forensic analysis.
In this topic:
Analyze events with the Machine Timeline
From the Machine Timeline, you can:
Filter by Element Type or Operation
Search for an event
Select the time frame to display. By default, the Machine Timeline shows activities that have a timestamp within five minutes before or five minutes after the creation of the selected event. You can expand the time frame to include activity within 10, 15, 20, 25, and 30 minutes of the event creation time.
Jump to the entry for the original event
Export data to a CSV file
Sort results by column
Open the Details pane for an item by clicking on the event
The Machine Timeline screen displays machine activities that involve the following Cybereason Elements:
Connection
Detection Events
Driver
File
FileAccessEvent
LogonSession
MalopProcess
Msrpc
Process
QuatantineFile
RegistryEvent
Scheduled Task
For example, the timeline will display an entry for a file that was modified, or a connection that was established.
The Machine Timeline includes the following columns:
Column name |
Description |
---|---|
Date |
Timestamp for the activity. |
Name |
Name of the activity, for example the name of the file or process. |
Suspicions/MalOps |
Icon and number indicating whether the activity is associated with one or more suspicions or MalOps. |
Operation |
Operation performed by the item. Values include:
|
Description |
Details about the item, such as the file path, whether a connection is ingoing or outgoing, or the type of detection. |
Element Type |
The activity Element type. Values include:
|
Access the Machine Timeline
You access the Machine Timeline screen when inspecting a process on a single machine. You can open the Machine Timeline screen for a specific event from the Investigation and Attack Tree screens:
From results in the Investigation screen
Click the arrow to the left of a result to expand the individual item. Then, do one of the following:
From the Attack Tree screen
Select a process bubble in the Attack Tree view to open the Details pane. Click the View Machine Timeline link in the top section of the pane, under the process name, as shown in the following image:
Example usage
As an analyst, when reviewing the results of an investigation query, you come across a process on a specific machine and want to understand the events that surround the process. Specifically, you are interested in files that were modified within the ten minutes surrounding the event. To do so, perform the following:
From the Investigation screen, expand the item in the results table to view the individual processes.
Click the Machine Timeline icon .
The Machine Timeline screen opens in a new browser tab and displays activity that occurred on the machine five minutes before and after the selected event.
Filter activity to include file modification events:
Select the filter icon to reveal the Filters pane
Select the File checkbox under Element Type.
Select the Modification Time checkbox under Operation.
Expand the timeframe by selecting +-10 min from event creation time in the timeframe selector dropdown.
The timeline now lists file modification activity on the machine in the ten minutes surrounding the original process.