1.2. UI Overview¶

This section provides a high-level overview of using the Cyber Triage user interface.

The basic flow of Cyber Triage is:

Welcome Page: You will see this when you open the application and it shows you a list of incidents and basic system statistics.

Incident: All data is contained in an incident. When you have one open, you’ll see the Incident Dashboard.

Host: From the incident, you can open a host and see its artifacts and results.

There is a breadcrumb in the upper left. At any point, you can press “[close]” to go up to the previous level.

1.2.2. The Welcome Page¶

When you launch Cyber Triage, you’ll see the Welcome page (it was shown above).

From here, you can:

Add, delete, and edit incidents (see Incident Management)
Get an overview of system status on the right-hand side.
Use the top menu to get the collection tool, options panel, and provide feedback.
Search indicators from past incidents (see Global IOC Search)

When you have an incident open, the Incident Dashboard (shown above) is your starting point.

It allows you to:

You can use this data to decide which host to open and examine.

Incident-level Examination provides more details about what kind of analysis can be performed from this UI.

Once you open a host, a new navigation menu will be shown.

These four phases represent how we suggest you triage a host:

Summary: Get a quick overview of the host so that you know what Cyber Triage found already and you can review the historical user and process behaviors. See Summary Section.
Notable Items: Review a timeline of what Cyber Triage scored as Bad and Suspicious and correct the scores. See Review Notable Items Section.
All Items: Dive into individual artifacts, if you need to. See Examine All Items Section
Report:: Generate reports for human or machines to use.

The arrows allow you to go back and forth from different views within the host.

There is a lot more documentation in this manual about using each of these interfaces.