circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Chain of Event

hashtag
Chain of Events

Chain of Events is a series of all activities related to a specific alert or incident. It allows users to trace the sequence of events, understand the context of network activity, and identify what led to a threat for efficient and informed analysis.

Attack Phases are the steps of a cyberattack, displaying how it progresses.

Attack Phase

Description

Reconnaissance

Information is gathered about potential targets before any penetration attempts, which are actions taken to gain unauthorized access to a system or network, by exploiting vulnerabilities or weaknesses in security controls.

Weaponization

Tools or malware are developed or acquired to exploit the identified vulnerabilities.

Delivery

The target system is accessed for the first time, either by sending malware or exploiting a security weakness.

Exploit

The attacker exploits vulnerabilities to escalate privileges, evade defenses, and gain access to sensitive data within the network.

Control

Presence is established across the system, moving through the network to access valuable resources and sensitive information.

Execute

Data is removed from the network.

Maintain

Attackers maintain access and control of the compromised systems and continue communicating to achieve their objectives, executing the final stages of the attack, depending on their goals.

hashtag
The Search Form

The search form allows you to filter chains or events by the timeline.

Set the From and To dates to define a timeframe for the chain search. A chain is included if its start timestamp is before the To date and its last activity timestamp is after the From date. You can also filter results by host.

hashtag
Results

Results display key information, including:

  • Chain Start Timestamp – when the chain of events began.

  • Last Activity Timestamp – the most recent activity in the chain.

  • Host – the IP address or device name involved.

  • Number of Links – the total links currently in the chain.

  • Current Attack Phase – the phase of the attack associated with the chain.

  • Last Link – the most recent link in the chain.

An overview of a selected chain’s inflection points shows the notification category that triggered each link, along with the date and time it occurred. Selecting a notification category provides more detailed information about that inflection point.

Chains can be sorted by newest or oldest links, and multiple chains can be selected for review. The primary chain will be used as the default for displaying inflection point details.

You can select up to three chains in Results. The chain highlighted in blue is considered the default chain.

hashtag
Chain of Events Details

Chain Details provides an overview of the selected chains and displays a graph showing the progression of the chain over time.

The graph points represent sets of notifications belonging to the same link within a specific timeframe. A link is a single step in the chain of events. Analyze a point to view additional details about the link, including the number of notifications grouped together at that point, the timestamp of the first notification, and the last notification in that grouping.

Last updated

Was this helpful?