3.3.1. Basic Concepts¶

3.3.1.1. Specifying An Incident Reference Date¶

All hosts in Cyber Triage have a reference date that represents when you were roughly first suspicious about it. By default, it’s the date of collection. When you add a host, you can override it. You should do this only when the collection happens many days or weeks after an alert.

The reference date is used to decide what to collect and what defines “recent changes” or “recent activity”. Activity close to that reference date (before or any time after) will be considered “recent”.

If not explicitly specified, the collection date is used as a reference date.

Cyber Triage uses a 30-day window before the reference date, so if this date is off by a few days, it is not that important.

You should pick this based on data available to you. Do not simply subtract 7 days from every alert because you assume the attack started a week before.

3.3.1.2. Queueing Up Data¶

If you have a Standard Pro or Team version of Cyber Triage, then you can add more than one host at a time. Cyber Triage has a scheduler that will process hosts as resources become available.

You can queue up hosts in two ways:

Many of the “Add Host” UIs will allow you to add multiple files or hosts in a single step. The set of files will get added to the scheduler.
When you add a host and others are already being analyzed, the new host will get added to the scheduler.

Note

You cannot add a “Local Disk” to the queue because there is the risk that the image is unmounted or the removable media is unplugged.

At any point, you can see the status of the queue by pressing the “View Queue and Recent Hosts” dialog from the opening window.

../../_images/import_queue.png — *Incident Dashboard - Queued Data*¶

3.3.1.3. Location of Processing in a Team Deployment¶

If you have a Team deployment, it’s important to understand what work is being performed on the server versus the client:

Client: The client is typically responsible for adding items to the database. Once they are added, the client can be disconnected. Some methods, such as disk images and Cyber Triage Collector files, will allow the server to insert the data.
Server: The artifacts are always analyzed and scored entirely on the server. Once data has been added to the database, the client is no longer needed.

3.3.2. Update Threat Intelligence¶

Some forms of threat intelligence must be configured in the Options panel before you can start the add host process. These include:

Yara (Configure Yara Signatures)
Good/Bad Lists (Configure Bad and Good Lists)

These are applied as soon as data starts coming in. So, ensure they are up to date before adding a data source.