Timeline ######## Description *********** The timeline shows the distribution of threat hunting analytics available in DeepHunter on a timeline graph, accross campaigns, for a given endpoint. It highlights possible correlations between events, based on their sequence in the timeline, and their storylineID (by clicking on nodes). .. image:: ../img/timeline.png :width: 1500 :alt: Timeline Analyzer The timeline module contains a lot of useful information for threat hunters and incident responders: - **List of matching threat hunting analytics**: By simply looking at the list of threat hunting analytics, the threat hunter can estimate risks and build hypothesis. - **Weighted score**: the graph on top shows the evolution of the weighted score (cumulated weighted scores, involving relevance and confidence of each threat hunting analytics). - **Distribution over time**: Each blue "box" represents events that match the threat hunting analytic on the header row. Having a visual representation of this distribution is useful to build hypothesis (possible correlation of events). - **Storyline highlights**: Mouse over a "box" to display the storylineID (SentinelOne EDR information) associated to the events matching the threat hunting analytic. All nodes with the same storylineID will be highligthed in red, as shown on the above screenshot. - **Threats**: Threats (detected by SentinelOne) are shown on a dedicated line. Mouse over threats-related nodes to show the details (threat name, analyst verdict, and confidence level). The storylineID is also gathered for threats. - **Applications**: The distribution of applications installed is also shown on a dedicated line. It can be used to make hypothesis (e.g., guess that some events may be generated by an application installed the same day). - **Host/User**: Machine name, OS, and site name + additional information gathered from the Active Directory (`LDAP_* `_ settings), from the machine username (user, job title, business unit, location). - **Active Directory**: list of Active Directory groups the user belongs to (information gathered from SentinelOne) - **App Inventory**: List of installed applications, versions, and installation date (information gathered from SentinelOne) How to use the timeline? ************************ - **Search**: Enter a endpoint name in the search field and press ``ENTER``. - **Compact view**: By default, the view shows as many boxes as necessary, for each day. It may happen that several threats are detected on a given day, or several applications are installed the same day. To have a more compact and readable timeline, click on ``compact view``, to limit the timeline to a maximum of 1 box/day. - **Send to Netview**: Sends the machine name to the `netview `_ module. - **Simple click**: Click on a box to highlight boxes with the same storylineID. Highlighted boxes appear in red. - **Double click**: Shows a contextual menu with options to inspect events or the storyline ID(s) related to the clicked node, view the trend graph for the selected analytic, or edit the selected analytic in the admin backend.