Advanced Data Collection And Scoring Let You Quickly Resolve Incidents

Start Free Trial

The Cyber Triage Workflow

Cyber Triage’s ultimate goal is to get you the key information about an attack as quickly as possible. It does this with a workflow that spans from collection to reporting.

It uses five key phases:

  1. Collect: Ensure data from endpoints is copied and preserved
  2. Ingest: Import low-level data and normalize to higher-level information artifacts
  3. Automated Analysis: Score artifacts using analysis pipelines to highlight evidence
  4. Assisted Examination: Review findings, understand the scope, and find more evidence.
  5. Report: Generate human and machine readable reports with the findings

Watch Video

Collect Endpoint Data

It’s critical to get access to the endpoint data so that it can be reviewed for evidence. Making a copy also ensures that the data is preserved in case the original gets deleted.

Cyber Triage has its own collection tool, called the Collector. It’s a powerful and adaptive collection tool that will parse key artifacts while running on the live system so that it can find all relevant executables and documents. It collects hundreds of source files and tens of thousands of artifacts.

The Collector is easy to deploy:

  • It’s agentless and is only a single executable file
  • Can be deployed via EDR, SOAR, or Powershell
  • Results can be sent back to Cyber Triage, uploaded to S3, or saved to a file.

Learn More

Collection Tools

We recommend that you use our Collector, but Cyber Triage can also import data from other collection tools, including:

  • Full disk images
  • KAPE and Velociraptor outputs
  • Linux UAC
  • Logical folders
  • Memory images

Ingest and Normalize Artifacts

Cyber Triage simplifies investigations by focusing on high-level “Information Artifacts” instead of low-level “Data Artifacts”.

With Cyber Triage, you can choose to view “Processes” to see what recently ran on the endpoint. With other tools, you have to remember if Prefetch, Event ID 4611, or Event ID 4688 represents a past process.

When you add endpoint data into Cyber Triage, it will normalize and merge the low-level artifacts.

This results in less training required and less data to review.

Automated Analysis

The key value of Cyber Triage is its ability to help you focus on the critical artifacts that are relevant to the incident.

Lots of tools will show you tens of thousands of artifacts. But, only Cyber Triage will highlight the tens to initially focus on.

Cyber Triage uses its automated analysis pipelines to score relevant artifacts as bad or suspicious. These pipelines use modules that rely on:

  • Malware scanning from 40+ engines at ReversingLabs
  • Sandbox analysis from Recorded Future
  • Threat intelligence and IOCs
  • Yara rules
  • Past cases

These modules will make you faster and more comprehensive because you more quickly focus on what is important.

Learn More

Assisted Examination

Ultimately, you need to decide what is relevant to the incident and understand the scope. Cyber Triage assists you in that process by giving you context and providing recommendations.

Cyber Triage:

  • Provides an incident-level view of activity across hosts.
  • Correlates artifacts by path and other attributes to quickly find related items. For example, find the web download artifact for a malicious process.
  • Recommends additional artifacts when you manually score one as Bad or Suspicious.
  • Creates a merged timeline of all activity on the system.

The Team version also allows multiple investigators to collaborate on the same incident at the same time.

Interface Examples:

Some example examination interfaces include:

  • Logons to look for lateral movement
  • IOC Search to identify when a indicators were previously seen
  • Full Timeline to see all system activity merged together
  • Bad Items Timeline to see what is known about the incident so far
  • Processes to look for new and suspicious processes
  • File Explorer to look for files the attacker created
  • Search to find items by path or metadata

Report

Your findings need to be shared with other humans and machines. Cyber Triage has a variety of output formats to support that.

Human readable reports include:

  • HTML
  • Excel

Machine readable formats include:

  • JSON
  • Timesketch
  • Splunk

Exports

We know you may want to use other DFIR tools in addition to Cyber Triage. We allow you to export all of your collected data in other standard formats.

  • All collected files in a ZIP
  • All artifacts as CSV
  • All hash values as CSV
  • All host name as CSV

Our goal is to make sure you can complete your investigations quickly, regardless of how many tools you ultimately use.

Everything You Need to Conduct Thorough and
Accurate Investigations

Use the complete Cyber Triage Toolkit to quickly and correctly diagnose an intrusion, explain what happened and why, and to make sure it doesn’t happen again.

Being able to respond quickly to an intrusion and conduct a fast, accurate investigation will limit damage and make everyone breathe a little easier in what can be a very difficult situation.

Try Cyber Triage