**To navigate to CIM Module please follow the instructions below:**
**Step 1: Log in to CyTech - AQUILA. *click here -->* [usdc.cytechint.io](https://usdc.cytechint.io/) Step 2: In the left column click Security Automation & SOC Optimization -> Cyber Incident Management (CIM) -> Dashboard** [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-04/zDtYwqk2yt6wigk4-hehe-20.png) --- #### **Cyber Incident Management (CIM): Dashboard** The **Main Dashboard** serves as the central hub for viewing all critical and relevant data associated with this module. It provides a consolidated interface where key **metrics**, **updates**, and **operational insights** are displayed for quick reference and effective monitoring. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/u2XBERHt0Org1Ymy-hehe-97.png) --- ##### **Case Categories** This panel displays and categorizes all cases within your environment that are currently open or in progress. It presents a structured view based on case categories, offering a clear summary of ongoing activity. This allows for efficient tracking, prioritization, and management of active investigations. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-10/UzO643vjZ0vzOK4n-image.png) Upon selecting a category, a new window will automatically open, displaying all cases associated with the selected category. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/3ugg757F9VdpwoxH-hehe-98.png) 1. **Search Bar:** The search bar enables users to locate a specific case by entering the exact case title. Simply type the desired title into the search field to quickly retrieve relevant results. 2. **Filter By & Clear Filter:** This feature enables users to refine the list of cases by applying filters based on Severity and Case Status. Use the Filter By option to display only the cases that match specific criteria. To remove all applied filters and return to the full list of cases, use the Clear Filter option. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-09/LDC89jvHDWfO9aPX-image.png)[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-09/2PgOOTcPe9U77T8t-image.png) 3. **Case Details:** To access the investigation section of a case, double-click on the case entry. This action will automatically redirect you to the detailed investigation interface for further analysis and review. --- ##### **Overall Risk** Displays system risk severity levels on a scale from **Low** to **Severe** (**0 - 100**), explaining the rationale behind risk classifications and showing the highest severity level present in the system. Clicking on the gauge allows you to view more details about. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/61yPfg0UfIONO8Um-hehe-99.png) --- ##### **Open Cases** Displays the total number of open cyber incident cases, categorized by severity, that are currently being investigated. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/KHjWviz5iNQuoRRa-hehe-100.png) When you click on a category, you will see all the cases that fall under that severity level. For example, as shown in the image above, selecting the “**Guarded Severity**” category will display all cases labeled as guarded severity. --- ##### **Cases Assigned to Me** Shows the number of cyber incident cases specifically assigned to you for investigation and resolution. Clicking on it will open up a small window that will show all the cases assigned under you. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/jMYSzNAZGTH6dDDw-hehe-2026-02-02t104320-647.png) --- ##### **Logs Per Day** Displays daily system logs with a progress bar that tracks storage capacity usage, providing clear insights into daily logging volume and resource consumption. When you click on it, a small window will appear displaying a graph. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/jjunImHCShkCWRwd-hehe-2026-02-02t110349-760.png) --- ##### **Alerts** Display the trends of the detections generated by the system, highlighting potential security incidents that require immediate attention. Clicking on a timeline will open up a small window that will show all the alerts that was recently triggered. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/SO6SBwlHPk3tJZXk-hehe-2026-02-02t111217-041.png) --- ##### **Log Rate** A real-time visualization to display system log generation frequency per second through a dynamic chart, enabling instant monitoring of system activity and resource utilization. Clicking on it will open up a small window that will show the detailed explanation. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/RFZKd6yTgHtERDdL-hehe-2026-02-02t112141-802.png) --- ##### **Log Collector Status** Indicates the current status of the log collector, ensuring that logs are being collected and monitored for any suspicious activity. When you click on it, a small window will appear showing all installed **log collectors** along with their current **status**. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/2GmJDLpRySqg5zP4-hehe-2026-02-02t114933-085.png) Click the **eye icon** next to the log collector name to go to the **Log Collector List** page. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/lepzI6jvY3kNKcg3-hehe-2026-02-02t121530-202.png) In conclusion, this dashboard serves as a centralized operational interface that enhances cybersecurity case management by providing real-time visibility into alerts, active investigations, and unresolved cases. It enables security teams to systematically monitor alert statuses, track ongoing investigations, and identify open cases that have not yet been addressed. Through structured data visualization and status tracking, the dashboard improves workflow prioritization, reduces response time, and ensures that no critical alerts are overlooked. Overall, it strengthens operational oversight, accountability, and incident response efficiency within the security environment.Please refer to the document for the next sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Alerts](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-alerts/edit)**
***If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.*** # CyTech AQUILA - Cyber Incident Management (CIM) : Alerts #### **Introduction** **Alerts Dashboard** is a tool that provides real-time security alerts and notifications. It provides a unified view of different types of alerts, categorizing them by severity and type, and displays critical details such as the source of the alert, affected assets, and relevant information. This dashboard enables security teams to quickly assess, prioritize, and respond to potential threats by offering comprehensive insights and plays a crucial role in enhancing situational awareness and streamlining the incident response process. ##### **Alerts Status Types** **Open Alerts:** Alerts awaiting assignment to an analyst for further investigation. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/82ZFGvLtIGOcqa8C-image.png) **Acknowledged Alerts:** Alerts currently in progress and assigned to an analyst for resolution. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/HEYm6T0740qQVfbO-image.png) **Closed Alerts:** Alerts that have been successfully resolved and closed. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/bEsoCzrDGzbYavNp-image.png) ##### **Log Collector Health** Indicates the current status of the log collector, ensuring that logs are being collected and monitored for any suspicious activity. When you click on it, a small window will appear showing all installed **log collectors** along with their current **status**. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/7TUtjbq83E8SPamy-image.png) ##### **Log Source** These are the various systems, applications, or devices that generate data sent into **AQUILA** for indexing, storage, and analysis. These sources provide visibility across infrastructure, applications, and security operations. When selected, a dialog window is displayed showing **all installed log collectors**. You can switch between collectors to view the integrated log sources associated with each one, along with their respective **versions** and **current status**, including whether log ingestion is functioning properly. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ujRcPNOGs1Nq9OVg-image.png) ##### **Overview** It provides an overview of **alert counts** categorized by **status type**, including the **total number of alerts** and their distribution across **severity levels**. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/LgnZjNihEGrm4pRT-image.png) ##### **Stack By Rule Name** This view displays a **summary of alerts** grouped by their corresponding **detection rules**. At the top of the panel, the total number of alerts is presented. Below this, each rule is listed alongside the count of alerts it has generated. Users can scroll through the list to view additional rules when the number of entries exceeds the visible space. This view enables quick identification of which detection rules are generating the highest volume of alerts, supporting prioritization and investigation activities. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/uilPkhdgET6NGib7-image.png) ##### **Filter by Source and Search box** **Filter by Source:** This dropdown menu allows users to filter alerts based on their originating source. Selecting a specific source will limit the displayed alerts to only those generated by the chosen system or log source, while the default *All* option displays alerts from every available source. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/57z9cOxYiai2eCua-image.png) **Search Alerts**: This text-based search field enables users to query alerts by keywords, rule names, IDs, or other relevant attributes. Entering a search term dynamically filters the alert list, allowing users to quickly identify and focus on alerts of interest. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/YdMeo09lilIgJo9R-image.png) ##### **Alerts Information** **Alerts Table** provides a detailed view of **all alerts**, organized in a tabular format for efficient **monitoring** and **analysis**. Each entry contains the following fields: - **ID**: A unique identifier automatically assigned to each alert. - **Timestamp**: The date and time the alert was generated, displayed in a standardized format. - **Rule Name**: The detection rule that triggered the alert, enabling correlation with specific monitoring logic. - **Risk Score**: A numerical value representing the assessed risk level of the alert. - **Severity**: The severity classification (e.g., low, medium, high, critical) that contextualizes the potential impact of the event. - **Status**: The current workflow state of the alert (e.g., open, acknowledged, closed). - **Source**: The originating source of logs that produced the alert. The table supports pagination to manage larger datasets, with navigation controls located at the bottom of the view. This ensures users can efficiently browse and review alerts when the total number exceeds the displayed entries per page. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/WdYuB2oLhFtOnAS3-image.png) ##### **Create a Case** **Case Creation** involves initiating a new incident case when a security alert is detected. This process includes documenting key details about the alert, categorizing and prioritizing the case based on its severity and impact, and tracking all investigation and response activities. By creating a case, security teams can organize and manage the incident comprehensively, ensuring that all related actions and communications are centralized, which facilitates effective resolution and improves overall incident handling. To create a case, you can opt to choose either to create a case from the Alerts Dashboard or the Case Management Dashboard. **To create a case:** 1. **Select an alert** 2. **Click the create new case button as shown below** Doing so will show a modal where information is required to create a case for investigation [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/rMQuk9AwajhxUwXI-image.png) Once a case has been successfully created, it will show in the Case Management Dashboard as shown below. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/AqsLkvBovFWZFSse-image.png) ##### **Add Alerts to an Existing Case** This feature allows security teams to associate a new alert with an ongoing or previously created incident case. By adding a new alert to an existing case, teams can streamline their investigation and response efforts, correlate related data, and avoid duplicating efforts. **Steps to take:** 1. To add to an existing case, navigate to the Alerts Dashboard 2. Select an alert and click the add to existing case button as shown below 3. Select which existing case is relevant to the alert to add it as an existing case. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/7PR0dFdNTIbyT3df-image.png) ##### **Support Assistance** This button provides direct access to the support portal. When selected, the user is redirected to the designated support page, where the following actions are available: - **Submit a Request**: Clients may create and submit a new support request or error report by providing the necessary details regarding the issue encountered. - **Search Existing Tickets**: Clients can query and review tickets they have previously submitted, allowing them to track the status and resolution progress of ongoing requests. This feature ensures that users can promptly report errors and access updates on existing support cases without leaving the Alerts interface. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/sI7CTqUxR1PkBWtT-image.png) After pressing the icon, it will redirect you to the submit a ticket page where you can submit a ticket and be assisted at your module. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/86EPK36x0Xj1bynb-image.png) In conclusion, the **Cyber Incident Management: Alerts** plays a critical role in strengthening organizational security operations by providing a structured and systematic approach to threat detection, analysis, response, and remediation. It enhances real-time monitoring capabilities, streamlines incident classification and escalation processes, and ensures efficient coordination among security teams. By centralizing incident data and enabling faster decision-making, the module reduces response time, minimizes potential impact, and improves overall operational resilience. Ultimately, it reinforces the organization’s cybersecurity posture by ensuring proactive risk mitigation, regulatory compliance, and continuous improvement in incident handling procedures.Please refer to the document from the previous sub-module: [CyTech AQUILA - Cyber Incident Management (CIM): Dashboard](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-dashboard) Please refer to the document for the next sub-module: [CyTech AQUILA - Cyber Incident Management (CIM): Cases](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-cases)
*If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.* # CyTech AQUILA - Cyber Incident Management (CIM): Cases #### **Introduction** **Case Management Dashboard** is a tool that provides a comprehensive overview of security incidents. It offers detailed insights into active and past incidents, including their status, severity, and timeline. The dashboard facilitates investigation and response by integrating real-time alerts, threat intelligence, and collaboration features, while also tracking performance metrics and compliance. This centralized approach enhances the efficiency of managing and resolving security incidents, ensuring timely and effective responses to mitigate risks and improve overall security posture. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/hGBa41vD9r2hb8Dj-image.png) #### **Workflow Stages** **1. Tier 1 – Initial Triage Cases** - - **SOC Role**: *Tier 1 Analyst (Junior Analyst / Alert Triage)*. - **Purpose**: These cases represent **low-level alerts** or **first-line detections** that require quick review and initial triage. - **Activities**: - Validate whether the alert is a *false positive* or *true positive*. - Collect basic context (e.g., user, host, timestamp, IP address). - Escalate to Tier 2 if suspicious behavior is confirmed. - **Example from Dashboard**: - *O365 – Access Request Created (Low severity)*. - **Outcome**: Often resolved at Tier 1 if clearly benign, otherwise escalated. --- **2. Tier 2 – Investigation Cases** - - **SOC Role**: *Tier 2 Analyst (Intermediate / Incident Responder)*. - **Purpose**: These are **guarded alerts** requiring **deeper investigation** and contextual analysis. - **Activities**: - Correlate the alert with other logs or events (threat hunting, SIEM searches). - Investigate user behavior, process execution, network activity. - Assess potential adversary techniques (e.g., MITRE ATT&CK mapping). - **Example from Dashboard**: - *Unusual Network Activity from a Windows System Binary*. - *Attempts to Brute Force Microsoft 365 User Account*. - **Outcome**: If confirmed malicious, escalated to Tier 3 for containment and response. --- **3. Tier 3 – Advanced Investigation / Threat Containment** - - **SOC Role**: *Tier 3 Analyst (Senior Incident Responder / Threat Hunter)*. - **Purpose**: These are **high-complexity or high-risk cases** requiring advanced analysis and incident response expertise. - **Activities**: - Perform in-depth forensic analysis. - Identify persistence, lateral movement, or exfiltration attempts. - Contain compromised systems or accounts. - Recommend remediation actions (patching, isolating endpoints, resetting credentials). - **Example from Dashboard**: - *Suspicious Network Activity to Internet by Unknown Executable*. - *System Network Connections Discovery*. - **Outcome**: Leads to confirmed incident reports, escalation to management, or remediation workflows. --- **4. Pending – Escalated to Vendor/Support** - - **SOC Role**: *Escalation Analysts / Vendor Support*. - **Purpose**: Cases flagged here are **awaiting validation or support from the vendor**. This stage ensures: - Validation of unusual detections. - Vendor-side investigation (e.g., signature tuning, false positive confirmation). - Guidance from product experts. - **Example from Dashboard**: - *Anomaly in User Download Activity (High severity)* pending Client validation. - **Outcome**: Case is updated and either closed, tuned, or sent back to SOC for action. --- **5. Closed – Resolved or Dismissed Cases** - - **SOC Role**: *Any Tier but validated and approved before closure*. - **Purpose**: Contains all cases that are **resolved, dismissed as false positives, or remediated**. - **Activities**: - Document final analysis and resolution steps. - Mark case as *False Positive*, *True Positive – Remediated*, or *Informational*. - Archive for compliance, auditing, and reporting. - **Outcome**: Closes the incident lifecycle. Closed cases can still be reviewed for reporting and lessons learned. ##### **Operational Workflow in SOC Terms** 1. **Detection → Tier 1** triages incoming alerts. 2. **Validation → Tier 2** investigates and correlates data. 3. **Escalation → Tier 3** performs deep analysis and containment. 4. **External Escalation → Pending** for vendor validation/support. 5. **Closure → Closed** with full documentation and resolution notes. ##### **Search and Date Filtering** The **Case Management** interface provides filtering and search capabilities to streamline case navigation and improve analyst efficiency. These functions enable analysts to quickly locate specific cases or limit the view to a defined time range. **Search Bar** - **Location**: Positioned at the top-left of the Case Management interface. - **Purpose**: Enables analysts to perform keyword-based searches across all available cases within the board. - **Functionality**: - Accepts free-text input such as **case IDs**, **rule names**, **case titles**, or **descriptive terms**. - Returns a filtered set of cases that match the entered criteria. - Supports rapid retrieval of specific cases without manual scrolling through case columns. - **Use Case in SOC Operations**: - Analysts can locate a case associated with a particular user or alert type during triage. - Facilitates targeted investigation by narrowing down large datasets to a manageable subset. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/fD9m8H8ZLye6FXMm-image.png) **Date Filter** - **Location**: Displayed in the top-right section of the Case Management interface, adjacent to the “Create New Case” button. - **Purpose**: Allows analysts to filter cases based on a specified date range. - **Functionality**: - Provides a selectable calendar input with predefined and custom ranges (e.g., “**01 Jan 24 – 31 Dec 25**”). - Adjusts the case board to display only cases that fall within the chosen timeframe. - Ensures time-specific investigations can be conducted efficiently. - **Use Case in SOC Operations**: - Supports incident review during a specified monitoring period (e.g., weekly/monthly threat activity reviews). - Enables correlation of cases to a known attack campaign or investigation window. - Assists with compliance reporting by extracting cases within regulatory audit timelines. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ms9Nez6j6ISVtmzX-image.png) ##### **Create New Case and Support** The **Case Management** interface includes two primary action buttons located at the top-right of the screen: **Create New Case** and **Support**. These options enable analysts to initiate new investigations and provide clients with direct access to technical support resources when required. **Create New Case** - **Purpose**: Enables analysts to manually initiate and document a new security case. - **Functionality**: - When selected, the system displays a form where analysts can input case details, including title, description, severity, and assigned users. - Once submitted, the new case appears within the appropriate case column (e.g., ***Tier 1***) for tracking and escalation. - **Use Case in SOC Operations**: - Allows analysts to proactively log incidents that may not have been automatically generated by alerts. - Facilitates documentation of investigations that originate from external intelligence sources, manual threat hunting, or analyst observations. **Support** - **Purpose**: Provides clients with direct access to the support portal for issue resolution and ticket management. - **Functionality**: - When selected, the client is redirected to the **Support page**. - The Support page provides two primary options: 1. **Submit a New Ticket** – Allows clients to report errors, technical issues, or product-related concerns. 2. **Search Existing Tickets** – Enables clients to view and track the status of tickets they have previously submitted. - **Use Case for Clients**: - Allows clients to escalate platform issues or request assistance directly from support. - Provides visibility into both new and ongoing tickets for efficient follow-up. - Ensures that clients can maintain continuity of operations by receiving timely support when technical difficulties arise. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/F8VRXMqWDOUS1Phy-image.png) The Cyber Incident Management (CIM): Cases module serves as a centralized case management system that enables structured handling, tracking, and escalation of security incidents across operational tiers (Tier 1, Tier 2, and Tier 3). It facilitates seamless case transfer and collaboration between analysts, ensuring proper investigation workflows, accountability, and timely resolution. In addition, the module functions as a comprehensive repository of historical cases, providing valuable reference data for recurring or similar incidents across different clients. This historical intelligence supports more accurate analysis, faster root cause identification, and improved response strategies. By maintaining detailed case documentation, escalation records, and investigative findings, the CIM: Cases module enhances operational efficiency, standardizes incident response procedures, and strengthens the overall effectiveness of daily security investigations within the Security Operations Center (SOC).Please refer to the document from the previous sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Alerts](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-alerts)** Please refer to the document for the next sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Data Explorer](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-data-explorer)**
*If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.* # CyTech AQUILA - Cyber Incident Management (CIM): Data Explorer The **Data Explorer** feature provides a unified view of log ingestion and event details. It combines visual analytics and tabular data to help clients track log volumes, search for specific events, and analyze data patterns over time. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/Y81keWpQQqo25ivA-image.png) ##### **Log Consumption Chart** Displays the volume of logs ingested per hour within a selected timeframe, enabling quick identification of activity spikes, anomalies, and ingestion trends. **Components** - **Date Range Selector** - **Start Date** - **End Date** - **Apply Button**: Refreshes the chart according to the selected timeframe. - **Interval Note**: *(interval: Auto – 1 hour)* – data points are grouped per one-hour intervals. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/IanYvqD8sjw9tk7U-image.png) ##### **Discovery Table** Provides detailed, event-level visibility into ingested logs for analysts. Displays logs that contain comprehensive records of activities and events, enabling analysts to search, filter, and review specific entries for investigation, correlation, and reporting. **Components** - ****Search Bar**:** Allows keyword-based filtering across event records**.** - ****Tabular Columns**:** - **ID** – Unique identifier for each record. - **Timestamp** – Exact date and time the event occurred (e.g., *Sep 25, 2025, 07:59:59 AM*). - **Event Action** – Action performed within the event (e.g., *ListObjects*, *fork*). - **Event Module** – Source module of the event (e.g., *aws*, *endpoint*). - **Source IP** – Origin IP of the event. - **User Name** – User associated with the event. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/Gjwzxc7QHNPPHzFs-image.png) ##### **Functional Insights** **Correlation Between Chart and Table** - The chart provides an aggregated, volume-based overview of logs. - The discovery table provides granular event details, allowing analysts to trace which specific actions contributed to spikes in log activity. **Analyst Use Case** - Analysts can monitor ingestion volumes, then drill down into specific events for deeper investigation. - **Example:** A spike in logs on *09/24/2025 11:00* may be investigated by reviewing the detailed event records in the table. Overall, the Data Explorer sub-domain plays a critical role in strengthening cybersecurity operations through comprehensive log monitoring and analysis.Please refer to the document from the previous sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Cases](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-cases)** Please refer to the document for the next sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Reports](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-reports)**
*If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.* # CyTech AQUILA - Cyber Incident Management (CIM): Reports The **Reports Dashboard** provides a centralized interface for monitoring, analyzing, and reviewing security tickets and alert activity within a defined date range. It consolidates data into visual charts and categorized metrics, enabling analysts to evaluate incident trends, ticket statuses, and alert sources for more effective decision-making. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/hRqbKbr19AbBcsfF-image.png) ##### **Date Range Selector** Defines the reporting period for all displayed metrics. **Functionality:** - When the user clicks on the **Date Range** field, a calendar pop-up appears. - The calendar allows analysts to specify both **Start Date** and **End Date**. - Predefined quick ranges are available for convenience: - **Today** - **Last 7 Days** - **Last 14 Days** - **Last 30 Days** - **Last 12 Months** - Users can also select custom ranges directly from the calendar by clicking the desired start and end dates. - Once the range is selected, the analyst can either: - **Apply** → Confirm and refresh dashboard data. - **Cancel** → Exit without changes. **Operational Insight:** - Enables analysts to generate **time-bound reports** for specific investigations (e.g., reviewing alerts during a known phishing campaign window). - Quick ranges are useful for standard reporting periods (weekly, monthly, quarterly). - Custom ranges support flexibility when investigating incidents that cross standard reporting boundaries. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/fK3B3ZAEPzdliRAd-image.png) ##### **Incident Created vs Resolved** This graph shows the number of incidents **created** vs. **resolved**, depending on the selected date timeline. - **Visualization:** Line chart with two metrics: - **Created (orange line):** Total number of incidents raised during the reporting period. - **Resolved (green line):** Total number of incidents successfully closed. - **Purpose:** Enables analysts to assess case resolution efficiency compared to incident creation rates. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ESq6yoMmdFcOkBM9-image.png) ##### **Ticket Severity** This graph displays the distribution of tickets by severity level. - **Visualization:** Donut chart with severity distribution. - **Categories Displayed:** - **Guarded** - **Low** - **Purpose:** Summarizes the severity levels of tickets to help analysts prioritize workload. - **Operational Insight:** A higher proportion of “**Guarded**” severity tickets may signal elevated but manageable risks, requiring proactive monitoring. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/FhT31vsDnnJt6NU2-image.png) ##### **Ticket Category** Breaks down tickets based on their assigned category. - **Visualization:** Donut chart displaying distribution across categories. - **Categories:** - General - Credential Compromise - Malicious Email - Data Breach - Malware - **Purpose:** Provides analysts with visibility into the types of threats most frequently encountered. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/gosC7DkQUu0WL3yw-image.png) ##### **Ticket Status** This graph visualizes the current status of tickets to track resolution progress. - **Visualization:** Bar chart of ticket states. - **Statuses Monitored:** - Open - Pending - In Progress - Closed - **Purpose:** Tracks current case lifecycles, supporting workload balancing and resolution monitoring. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/vGRL1PY9b7SY4UkV-image.png) ##### **Ticket Alert Type** Provides a categorized breakdown of security alerts raised within the system. This helps analysts quickly identify the most frequent or severe types of alerts for prioritization and incident response. The feature also groups tickets by alert type and sorts them based on count, enabling analysts to focus on the most prevalent threats first. **Functionality** - Each alert type is listed in descending order of volume. - A **numerical badge** beside each type shows the number of tickets generated. **Analyst Use Case** - **Prioritization:** Analysts can quickly spot which alert categories are most frequent and critical. - **Trend Identification:** Helps SOC teams track recurring threats, such as repeated port scan attempts or ongoing phishing campaigns. - **Investigation Focus:** Guides where resources should be allocated for further log analysis and incident response. - **Escalation Decisioning:** High-volume or high-severity alert types can be escalated to Tier 2 or Tier 3 SOC analysts. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/Om1zODHtnokkWWTx-image.png) ##### **Alerts Generated Count by Data Source** This section provides a breakdown of security alerts based on their originating data sources. It enables analysts to identify which systems or platforms are contributing the highest number of alerts, supporting more targeted investigation and resource allocation. **Components** - **Total Alerts Generated** Displays the overall count of alerts detected within the selected date range. In the example shown, a total of **100 alerts** were generated. - **Top 3 Alert Sources** Highlights the three primary data sources that generated the most alerts, allowing analysts to quickly focus on the most active or risky environments. - **Treemap Visualization** Graphically represents the distribution of alerts by data source. Each block corresponds to a data source, with the block size proportional to the alert count. - Example: **APM** generated the highest number of alerts (**67**). - **Others** contributed **23** alerts. - Additional sources, including **Microsoft 365**, **Endpoint**, and **Defender**, are shown with smaller proportional segments. **Analyst Use Case** - Prioritize monitoring efforts on high-volume sources such as APM. - Identify unusual spikes in alerts from less active sources. - Allocate investigative resources efficiently across multiple platforms. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/xYdV6SY7GD504J96-image.png) ##### **Alert Comparison: Current vs Previous Period** This section provides a comparative analysis of alerts generated during the current reporting period versus the previous period. The comparison highlights change in alert volume for specific alert types, helping analysts identify trends, anomalies, or shifts in the security landscape. **Components** - **Bar Chart Visualization** - Each bar represents a specific alert type, segmented into two colors: - **Blue**: Alerts generated in the **current period**. - **Yellow**: Alerts generated in the **previous period**. - The length of the segments reflects the alert count, allowing quick visual identification of increases or decreases. **Analyst Use Case** - Identify **reductions in recurring alerts**, which may indicate resolved issues or improved security controls. - Detect **emerging threats** when new alert types appear or when their frequency increases in the current period. - Support **trend reporting** by comparing shifts in alert patterns over time, enabling better resource planning and proactive defense measures. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ot6oX8D8cg8Z5xgR-image.png) ##### **SLA** Displays **Service Level Agreement (SLA) compliance**, focusing on key performance metrics such as incident **detection time** and **resolution time**. This allows analysts and SOC teams to measure operational efficiency against defined service targets. The absence of data in the graph indicates that no incidents were recorded during the selected time period. **Components** - **Graph View** - Timeline chart representing SLA performance over a defined period. - Tracks detection and resolution trends for visibility into time-based compliance. - **Metrics Panel** (Right Side) - **Mean Detect Time**: - Current Value: **01:11:56** - Change Compared to Previous Quarter: **0%** - ****Mean Resolve Time**:** - Current Value: **00:00:00** - Change Compared to Previous Quarter: **0%** **Analyst Use Case** - Monitor SLA adherence to ensure timely detection and resolution of incidents. - Identify bottlenecks in the detection-to-resolution cycle. - Provide operational reporting to stakeholders on SOC performance. - Ensure compliance with contractual or organizational SLA requirements. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/UeOgnpFe4kUVsLS0-image.png) ##### **Peaks of Alerts** This visualization highlights time periods with the highest security alert activity. It provides analysts with a temporal view of alert distribution, making it easier to detect spikes, recurring trends, or unusual increases in activity. Alerts are categorized by severity levels such as *Unfiltered, Low, Guarded, Elevated, High,* and *Severe,* with corresponding counts shown for each. By tracking alert peaks over time, this section helps security teams identify periods of heightened risk, allocate resources effectively, and prioritize investigation efforts. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/a2pUMyXTAasqhGvQ-image.png) ##### **Summary Incident Report** This section displays a detailed list of incidents recorded within the selected date range. Each entry includes the **date of occurrence, incident title, case ID, severity level, and current status** (e.g., *Pending* or *Closed*). Incidents are categorized and color-coded by severity, allowing analysts to quickly assess their criticality and prioritize response efforts. The report also supports **export functionality**, enabling users to generate and share incident data for further analysis, auditing, or compliance purposes. This structured summary ensures that all incidents are systematically tracked and monitored, providing visibility into both ongoing and resolved security events. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/8Y1yR7ZAoFYkzCEO-image.png) ##### **Create Report and My Library** The **Reports** module provides users with the ability to generate and manage analytical outputs for security incidents and operational performance. Within this module, two key functions are available: - **Create Report** The **Create Report** function allows users to generate customized reports based on selected parameters such as date range, ticket severity, incident category, or status. This feature is designed to provide flexibility in reporting, enabling analysts and stakeholders to extract meaningful insights tailored to their specific needs. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/xByeyKH0pm0O4eLP-image.png) - **My Library** The **My Library** function serves as a centralized repository where previously generated or saved reports are stored. Users can easily access, review, and manage their collection of reports, ensuring quick retrieval of historical data and consistent tracking of incident trends over time. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ZDVlZkVguRqHwreR-image.png) Users can also see more information about the report by pressing the eye icon. In this section, they can "**edit the report"** or "**download"** it by pressing the button above. The users can also send it **"via email"** or "**delete"** the report. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/KBz8TKTNUBXMWk5H-image.png) Together, these functions provide both the **flexibility to create new reports** and the **convenience of accessing saved outputs**, supporting continuous monitoring, analysis, and decision-making.Please refer to the document from the previous sub-module: [CyTech AQUILA - Cyber Incident Management (CIM): Data Explorer](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-data-explorer) Please refer to the document for the next sub-module: [CyTech AQUILA - Cyber Incident Management (CIM): Alert Rules](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-alert-rules)
*If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.* # CyTech AQUILA - Cyber Incident Management (CIM): Alert Rules The **Alert Rules** section provides centralized management of alert rules assigned to various log sources. This module enables administrators and analysts to review, configure, and monitor rules that generate alerts for security and operational events. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/JKr4ELYT8VogMoGd-image.png) ##### **Header Summary** - **Total Alert Rules**: Displays the total number of alert rules configured in the system. - **Active Alert Rules**: Shows the number of rules currently active and monitoring events. - **Critical Rules**: Highlights the subset of rules categorized as critical, requiring immediate attention. ##### **Search and Filter** - The **Search** bar allows users to quickly locate specific alert rules by entering keywords. - The **Filter** option enables users to refine results based on categories or parameters, ensuring efficient navigation in environments with a large number of rules. ##### **Integrations** *(Under Development)* - The **Integrations** menu provides options for connecting alert rules with integrated platforms or data sources, ensuring seamless rule application across multiple systems. ##### **Add Alert Rule** - The **Add Alert Rule** button allows users to create new alert rules. These can be customized to monitor specific log sources, event patterns, or security indicators. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/MeChHPxqfhiDanyk-image.png) ##### **Alert Rule Listings** - Each listed entry represents a log source with its associated rules. - **Details include**: - **Name of the log source** (e.g., APM, AWS, Active Directory, Azure). - **Version** of the rule set applied. - **Rule count** indicating the total number of rules assigned to that log source. - A link to **View Alert Rules**, which opens the detailed configuration and management interface for that specific source. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/xVBtuje27xXIr4at-image.png) Users can also click the Rule to see more details about the alert rules. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/Q5JQFnfpkHSyO5zc-image.png) The users can also Edit Alert Rule by pressing the button. In this section they can adjust the time interval and its risk score or change its severity. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/KSDt8s3PtvJOQwZi-image.png) ##### **Manage Alert Rules** The **Manage Alert Rules** interface provides administrators with a centralized view and management panel for alert rules assigned to a **data source**. This page allows users to search, filter, review, enable/disable, and monitor the execution of a specific alert rule. **Search and Filter** - **Search Bar**: Provides keyword-based searching to quickly locate specific rules. - **Filter Button**: Enables refined filtering of rules based on defined criteria such as severity, status, or log type. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/mUAJxeWXiRMhbmbM-image.png) **Global Toggle Controls** - **Display All Disable**: When enabled, this toggle ensures all disabled rules are displayed. - **Display All Enable**: When enabled, this toggle ensures all enabled rules are displayed. - These global options simplify rule visibility management in environments with large numbers of configured alerts. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/l4Hqme2C5chXeweD-image.png) **Rule Table** The central section of the page displays a table containing all AWS alert rules with associated metadata and controls. Each row corresponds to a specific rule, with the following columns: 1. **Rule** - The rule name is hyperlinked, directing the user to the detailed configuration page for that specific rule [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/5aer1bDmvhpIw2hf-image.png) 2. **Risk Score** - Numerical value representing the calculated risk impact of the rule if triggered. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/j1p6JKGfI7YgzfN8-image.png) 3. **Last Run** - Displays the most recent execution time of the rule. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/rkQ5iouz8Leo1B0u-image.png) 4. **Severity** - Severity levels include: - **Low** (Green) - **Medium** (Yellow) - **High** (Red) [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/CIarQgWjBgkDeNYE-image.png) 5. **Last Response** - Shows the outcome of the most recent rule execution. - Status values include: - **Succeeded** (green indicator) - Potential Failed - Failed [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/p2hl42N3cAPT6YAQ-image.png) 6. **Last Updated** - Provides the timestamp when the rule was last modified. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/E9K8mmRqAetvHqVG-hehe.png) 7. **Enabled/Disabled Toggle** - Each rule has an individual toggle to enable or disable its monitoring function. - Active (enabled) rules are marked in blue, while disabled rules would appear in gray. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/U2Xi0Cf62GDtAHx9-hehe-2.png) This section ensures visibility into how alerts are defined and enforced across environments. By consolidating rule management, it allows administrators to maintain consistency, identify gaps, and prioritize responses effectively.Please refer to the document from the previous sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Reports](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-reports)** Please refer to the document for the next sub-module: **[CyTech AQUILA - Cyber Incident Management (CIM): Settings](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-settings)**
*If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.* # CyTech AQUILA - Cyber Incident Management (CIM): Settings This page allows users to configure and manage notification settings within the **CIM (Cyber Intelligence Management)** solution. The interface is organized into multiple sections for streamlined navigation and tailored notification management. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/cB913PMRcYGV8uHx-image.png) ##### **Notification** This main section allows for adjustment of general notification settings: - **Search Bar**: A search field to quickly locate specific notification settings or preferences. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/FLzzHL8zSVxQyr2G-image.png) - **Default Email Notification** - **Description**: Specifies the primary email address where all case creation notifications will be sent by default. This setting does not restrict customization for individual case notifications. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/LN3eHEUuTBvqgHow-image.png) - **Email Input Field**: Placeholder text "example@domain.com" indicates where the default email address is entered. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/tzd42Ex8D73bbZqo-image.png) - **Edit Button**: Allows editing and saving of the default email address for notifications. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/eGAK4cV0IQvPlIhU-image.png) **Case Creation Notification** This sub-section outlines options for notifications when a new case is created: - **Description**: Users can choose notification channels for receiving alerts related to case creation. - **Notification Types**: - **In-App Notification**: Alerts are immediately displayed within the application. Users can quickly access new case details and take required actions. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/AEueHJ7JejvY7ovU-image.png) - **Email**: Detailed notifications about newly created cases are sent to the designated email address. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/jIyp5Hl2mgwfCjhV-image.png) - **SMS**: Text message alerts are dispatched for new cases. This channel is recommended for time-sensitive and urgent updates. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ziOGbncIB9HGBSyL-image.png) - **Switches**: Each notification method has a toggle switch for enabling or disabling the specific notification type. - **Advanced Settings**: A button labeled "Add Advanced Settings" provides access to Configure Rule pop up when clicked. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/MlSl8SQtsjJrwika-image.png) **Notification Action Configuration** This page is used to configure the details for an existing action in a notification rule within the **CIM (Cyber Intelligence Management)** system. The user is guided through defining core attributes of the notification action, enabling efficient management and customization. **Rule Name** - **Purpose**: Enter the specific name for the notification rule. Example given is "Sample Advanced Notification Settings Title". - **Character Limit**: Allows up to 25 characters, shown as a counter. **Subject** - **Purpose**: Specify a concise subject line for the notification, intended to notify the assigned recipient. - **Character Limit**: 15 characters, displayed as a counter. **Description** - **Purpose**: Provide a detailed description of the rule. This field is for explanatory text supporting clarity on the rule's intent and function. - **Character Limit**: 100 characters, indicated below the field. Clicking **Next** will redirect you to the second page of the configuration. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/1IZQ0nFCocd85IQf-image.png) **Notification Rule Creation** This interface is the second step in the process of configuring actions for a notification rule within the **CIM** platform. It enables administrators to define the specific conditions under which notifications should be sent, as well as the corresponding notification methods. **Rule Condition Configuration** - **When Case is** - **Select Key**: Dropdown to choose a case attribute to evaluate; shown as "Severity". - **Is**: Operator for comparison. - **Select Value**: Dropdown to specify the value for the selected key. - **Add Parameter**: Option to increase rule complexity by adding additional parameters for multi-conditional logic. **Notification Action Specification** - **Notify Using** - **Select Notification**: Dropdown list for choosing the desired notification channel (e.g., email, in-app, SMS). - **Add Parameter**: Option to customize or refine notification actions with additional parameters. **Support Section** - **Purpose**: Provides users with quick access to support resources, assistance, or help documentation related to the Cyber Intelligence Management (CIM) system. - **Functionality**: Typically, clicking this icon would open a support menu, chat widget, or redirect to a help center where users can submit support tickets, search FAQs, or get live assistance. - **Accessibility**: Its prominent placement ensures immediate visibility for users needing assistance without navigating away from the current workspace or settings page. --- ##### **Log Collector List** The **Log Collector List** interface provides administrators with a centralized view for managing and monitoring log collectors. This section is part of the **Settings for CIM** (Cyber Incident Management) module and enables easy configuration, visibility, and operational control of log collectors. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/i2KHdS5fkB2Thaf2-image.png) **Action Controls** - **Add Log Collector** (button): Located on the upper-right corner. This allows administrators to register a new log collector agent into the system. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/li6s7cgqjcYBRvSi-hehe-31.png)To learn more about "Add Log Collector" please refer to this link. **Windows Log Collector Installation**: [Log Collector Installa... | AQUILA Documentations](https://usdc-docs.cytechint.io/books/log-collector-installations/page/log-collector-installation-windows-manual) **Linux Log Collector Installation**: [Log Collector Installa... | AQUILA Documentations](https://usdc-docs.cytechint.io/books/log-collector-installations/page/log-collector-installation-linux-manual) **Mac Log Collector Installation**: [Log Collector Installa... | AQUILA Documentations](https://usdc-docs.cytechint.io/books/log-collector-installations/page/log-collector-installation-mac-manual)
**Log Collector Table** The main section of the page displays a table of log collectors, providing key operational details:| **Column** | **Description** |
| **Agent Name** | Displays the name of the log collector agent. Clickable for detailed view. Example: ***HYDRA-DC***. |
| **Status** | Indicates whether the log collector is currently online or offline. Example: *Offline*. |
| **IP Address** | Shows the network address assigned to the log collector. |
Please refer to this document for troubleshooting: "[AWS Integrations | AQUILA Documentations](https://usdc-docs.cytechint.io/books/system-integrations/page/aws-integrations)"
Users can also uninstall their **Log Collector** or **Unenroll** it by pressing the "⚡" symbol. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/d9O7xu5G7DT2AkHZ-image.png) **Overview Panel** Located on the left side, the **Overview** section provides basic collector details: - **Policy ID** – Displays the unique policy identifier assigned to the log collector. - **Status** – Shows whether the collector is online or offline (e.g., *Offline*). - **Host Name** – Displays the assigned host identifier or network name. - **Platform** – Indicates the operating system platform on which the collector is installed (e.g., *Windows*). **Additional note:** A usage indicator is displayed below, showing the number of log sources currently added relative to the maximum available. Example: *2 out of 254 Log Sources added*. A link is provided (*Add Log Sources*) for extending the configuration. **Integrations Panel** The **Integrations** section lists available integrations assigned to the collector. Each integration includes details and health indicators. **Support Section** - **Purpose**: Provides users with quick access to support resources, assistance, or help documentation related to the Cyber Intelligence Management (CIM) system. - **Functionality**: Typically, clicking this icon would open a support menu, chat widget, or redirect to a help center where users can submit support tickets, search FAQs, or get live assistance. - **Accessibility**: Its prominent placement ensures immediate visibility for users needing assistance without navigating away from the current workspace or settings page. --- ##### **Log Source** The **Log Source** section within **Settings for CIM** provides administrators with a centralized interface for managing available log source integrations. This module enables users to search, review, and add integrations to a Log Agent for log collection and monitoring. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/eqxZWxUfp7b4CXdd-image.png) **Search and Action Controls** - **Search Integration** - Enables keyword searches to quickly locate a specific integration by name or capability. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/LPDt3tvG3xYQ0fa0-image.png) - **Guidelines** - Opens the integration setup documentation and best-practice guidance for configuring integrations with the Log Agent. Use this to review prerequisites, configuration steps, and recommended settings prior to adding an integration. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/K7iHnunuCo6Vt4PX-image.png) - **Request** - Opens a request form or submission workflow to request support for a new integration, report missing functionality, or ask for assistance with an existing integration. This provides a mechanism for users to request extension of available integrations or additional support resources. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/DRNTF8eoqUUASMjC-hehe-36.png)Note: The **Guidelines** and **Request** controls are located at the top-right of the page for convenient access while browsing integrations.
**List of Integrations** This section displays all available integrations supported by the CIM platform. Each integration card includes: - **Integration Name & Version** – Specifies the log source and its current integration version. - **Description** – Briefly describes the purpose and type of logs collected. - **Action Button (Add to Agent)** – Assigns the integration to a Log Agent for log collection. **Support Section** - **Purpose**: Provides users with quick access to support resources, assistance, or help documentation related to the Cyber Intelligence Management (CIM) system. - **Functionality**: Typically, clicking this icon would open a support menu, chat widget, or redirect to a help center where users can submit support tickets, search FAQs, or get live assistance. - **Accessibility**: Its prominent placement ensures immediate visibility for users needing assistance without navigating away from the current workspace or settings page. ##### **Alert Rules** This section of the **Security Operations Center (SOC)** dashboard presents a summary of active alert rules, providing security personnel with a high-level overview of automated detection mechanisms, their recent execution status, and configured severity levels. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/EsY4sCHisCFStomB-image.png) **nteractive Controls** The dashboard is equipped with several interactive elements for filtering and searching the alert rules: - **Search Bar**: A free-text input field located above the table, allowing operators to quickly find specific rules by name, keyword, or other identifiable attributes. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/ed9wFUfKoam1KgMI-image.png) - **Filter Buttons**: A set of toggle buttons, typically found near the search bar, for dynamically filtering the rule set based on their operational state: [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-02/9n7AVebCvYY864mY-image.png) - **Enabled Rules**: When selected, displays only the alert rules that are currently active (indicated by a ✅ in the `Enabled` column). - **Disabled Rules**: When selected, would display rules that have been turned off. **Summary Table** The core of the dashboard is a tabular interface that lists configured alert rules with the following key metadata:| **Column** | **Description** |
|---|---|
| **Rule** | The descriptive name of the automated security detection rule. Names often indicate the specific technique or threat being monitored. |
| **Risk Score** | A numerical value (e.g., 73, 47, 21) associated with each rule, likely representing a relative weight or priority used for overall risk calculation and alert triage. |
| **Last Run** | A timestamp indicating how long ago each rule was last executed. All displayed rules have run within the last 10 minutes, indicating frequent, near-real-time monitoring. |
| **Severity** | The assigned impact level of the alert. The dashboard uses a three-tiered classification: **High**, **Medium**, and **Low**. |
| **Last Response** | The operational status of the rule's most recent execution. The possible states are: • **Succeeded**: The rule executed without errors. • **Partial Failure**: The rule executed but encountered issues with a subset of its tasks or data sources. • **Failed**: The rule execution was unsuccessful. |
| **Last Updated** | The date the rule's logic or configuration was last modified. |
| **Enabled** | A status indicator (✅) confirming that the rule is currently active and monitoring for the specified conditions. It will be grayed out and no check mark if disabled. |
Please refer to the document from the previous sub-module: [CyTech AQUILA - Cyber Incident Management (CIM): Alert Rules](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-alert-rules) [CyTech AQUILA - Cyber Incident Management (CIM): Reports](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-reports) [CyTech AQUILA - Cyber Incident Management (CIM): Data Explorer](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-data-explorer) [CyTech AQUILA - Cyber Incident Management (CIM): Cases](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-cases) [CyTech AQUILA - Cyber Incident Management (CIM): Alerts](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-cyber-incident-management-cim-alerts)
*If you need further assistance, kindly contact our support at [support@cytechint.com](mailto:info@cytechint.com) for prompt assistance and guidance.* # CyTech AQUILA - Endpoint Detection and Response (EDR) ##### **Overview:** AQUILA EDR provides organizations with prevention, detection, and response capabilities with deep visibility for EPP, EDR, SIEM, and Security Analytics use cases across Windows, macOS, and Linux operating systems running on both traditional endpoints and public cloud environments. --- ##### 🔒 **Core Capabilities **| **Protection Type ** | **OS Support ** | **Detect ** | **Prevent** | **Description ** |
| **Malware ** | Windows, macOS, Linux | ✅ | Blocks known malicious executables and scripts at runtime. | |
| **Ransomware ** | Windows | ✅ | Detects rapid file changes and unauthorized encryption activity. | |
| **Memory Threats ** | Windows, macOS, Linux | ✅ | Prevents memory-based attacks like process injection or ROP chains. | |
| **Malicious Behavior ** | Windows, macOS, Linux | ✅ | Stops suspicious techniques such as abnormal child processes or LOLBins. | |
| **Credential Hardening ** | Windows | Enabled | Protects credentials by preventing unauthorized LSASS access. |
| **Event Type ** | **Windows ** | **macOS ** | **Linux ** | **Description ** |
| **API ** | ✅ | – | – | Logs sensitive API calls that may indicate injection or system tampering. |
| **DLL & Driver Load ** | ✅ | – | – | Captures DLL/driver loading to detect unsigned or malicious code injection. |
| **DNS ** | ✅ | – | – | Records DNS queries/responses to spot C2, tunneling, or data exfiltration. |
| **File ** | ✅ | ✅ | ✅ | Monitors file creation, deletion, and modification to detect malware or ransomware. |
| **Network ** | ✅ | ✅ | ✅ | Logs connections, ports, and protocols to uncover C2 traffic or lateral movement. |
| **Process ** | ✅ | ✅ | ✅ | Tracks process execution, parent/child relationships, and suspicious spawns. |
| **Registry ** | ✅ | – | – | Detects persistence or tampering with critical Windows registry keys. |
| **Security ** | ✅ | – | – | Captures login attempts, privilege changes, and policy modifications. |
| **Event Type ** | **Description ** | **Use Case ** | **Example ** |
| **API Events** | Capture system-level API calls made by processes. These events show how applications interact with the OS, libraries, and security-sensitive functions. | Detect process injection, privilege escalation, exploitation attempts, or use of unusual APIs by non-standard processes. | A Microsoft Office process (WINWORD.EXE) invokes VirtualAllocEx and WriteProcessMemory to inject code into another process. |
| **DLL & Driver Load Events** | Record the loading of DLLs into user processes and drivers into the OS kernel. Includes path, signature status, and process context. | Detect unsigned or suspicious DLLs/drivers, DLL search order hijacking, and kernel-level rootkits. | An unsigned driver is loaded during system boot, or a legitimate app loads a DLL from a non-standard directory. |
| **DNS Events ** | Log all DNS lookups and responses, showing which domains are queried and by which process. | Detect C2 callbacks, malware beaconing, DNS tunneling, and suspicious domain resolution. | A process repeatedly queries random subdomains of example\[.\]com, suggesting DGA (Domain Generation Algorithm) use. |
| **File Events ** | Monitor file activity: creation, modification, deletion, renaming, and read access. Includes metadata like file path, hash, and process context. | Detect ransomware encryption, malware staging (dropping executables), tampering with sensitive files, or unauthorized access. | A process writes multiple .encrypted files in rapid succession in a user’s documents folder. |
| **Network Events** | Capture TCP/UDP connections, ports, IPs, protocols, and process responsible. | Detect outbound connections to malicious infrastructure, lateral movement inside a network, or data exfiltration attempts. | PowerShell initiates a connection to a known malicious IP over port 443 with unusual payload size. |
| **Process Events** | Record process lifecycle: creation, termination, parent-child relationships, command-line arguments, and integrity info. | Detect abnormal parent-child chains, privilege escalation, process hollowing/injection, and script-based attacks. | explorer.exe launches powershell.exe with a Base64-encoded command to download a payload. |
| **Registry Events** | Log modifications to Windows Registry, including key creation, deletion, and value changes. | Detect persistence mechanisms, system tampering, and security feature bypasses. | Malware creates HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\malware.exe for auto-start persistence. |
| **Security Events ** | Record security-related activity: authentication attempts, user/group changes, privilege assignments, and policy alterations. | Detect brute force attacks, privilege abuse, unauthorized access, and security control disabling. | Multiple failed login attempts followed by a successful login with a privileged account. |
**To navigate to EDR Module please follow the instructions below:**
In the EDR Module Dashboard, you can monitor the security status of endpoints at a glance. This includes Detection Status, Endpoint Health, Authentication Attempts, Event Activity, and Recurring Offenders.
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/oazahGNBXkspBwnx-hehe-51.png) 1. **Detection Status:** - This widget shows the overall security status of the monitored endpoints. It indicates that there are no suspicious activities or malware detected. The green "SECURE" status confirms that the system is not facing any security issues at the moment. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/6NRz5IutG0QbZaBc-hehe-52.png) 2. **Open Endpoint Detections:** - Displays the number of currently active endpoint detections. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/ScOeAPJXTFcAdRFf-hehe-53.png) 3. **Number of Isolated Endpoints:** - Displays the number of endpoints that have been isolated due to detected threats or suspicious activities. The value is 0, indicating that no endpoints have been isolated. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/aTLfuoP8Jc1WifgK-hehe-54.png) 4. **Managed Endpoints:** - Shows a breakdown of the endpoints under management. There is one endpoint marked as "Online" (green), and one is "Offline" (gray). The "Unhealthy" count is 0, which suggests no issues with endpoint health. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/KHMVz4UiZ5CNN75E-hehe-55.png) 5. **Recurring Offenders:** - This widget lists any repeated offenders or recurring threats detected across the endpoints. It shows "No Results Found," meaning there are no repeated malicious activities detected at the moment. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/I8YcQetTQmMScOB5-hehe-56.png) 6. **Authentication:** - Provides a graph showing the number of successful versus failed authentications. As of the latest data, there have been 397 successful authentications and 0 failed attempts, suggesting no authentication issues. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/lmykWRI02DIgYlpe-hehe-58.png) 7. **Events:** - Displays the graphical representation of various system events over time. The chart breaks down different types of events (e.g., "end", "fork", "exec", etc.) that occurred between 08:35 and 09:00. The graph shows how these events fluctuate over time, with certain actions peaking during specific periods. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/FqoB2wOO0FhCuv36-hehe-59.png) #### **Detections**In the **Detections**, you can manage and analyze all detection and alert data. It includes an overview of open, closed, and acknowledged alerts, event activity trends, and detailed alerts with filtering capabilities.
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/cqGoH4pGgNEptJZB-hehe-61.png) 1. **Detections** - **Open Alerts** and **Acknowledged Alerts** give you a quick overview of the current alerts that are either unresolved or acknowledged by users. As of now, there are no open or acknowledged alerts. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/2NsB40kBslT6XRRy-image.png) 2. Alert Summary - The **Alerts Summary - 7 Days** section shows a historical overview of detections from the past week. At the moment, it shows no results, indicating no major alerts have been triggered recently. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/QKelZ2j8RWWcDw0e-image.png) 3. **Events Graph** - The **Events graph** visualizes system activity, with each color representing different types of events like “end,” “fork,” “exec,” and “creation.” This graph provides insights into endpoint activity over time, showing fluctuations between 09:00 and 09:45 AM. For example, we can see spikes in events at certain times, allowing you to quickly identify periods of increased activity. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/7KoMlWHETUm7PnKo-image.png) 4. **Alerts Tab** - The **Alerts** section allows you to search for specific alerts using the search bar. This feature helps you quickly locate an alert by its ID, user, or rule name. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/BVR8yYp9BgcItLxQ-hello-1.png) 5. **Events Tab** - The **Events tab** contains detailed logs of endpoint process events, including the user, event action, hostname, source and destination IPs, and timestamps. This tab enables you to investigate and track specific activities and behaviors occurring on endpoints. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/cwzwpgEUDdAifjnW-hello.png) 6. **Activity Filter** - The **Active Filters** allow you to filter the alerts by status (e.g., open, acknowledged, or closed) and endpoint. You can clear any applied filters with the “Clear Filters” button. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/9b3PV7AQ66ZrlDt0-image.png) #### **Endpoints**In the **Endpoints Page**, you can view a general summary of organization’s endpoint security status. This includes metrics such as secured, infected, and isolated endpoints. As of now, there are no infected or isolated endpoints in the system.
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/79U8G21huUhDDjUl-hehe-63.png) 1. **Endpoint Security State** - This section provides a summary of the security state of endpoints. It displays the count of endpoints that are secured, infected, and isolated. At the moment, there are 2 secured endpoints, with no infected or isolated endpoints. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/kQttd5LUbg8f8koT-image.png) 2. **Endpoint Health Overview** - The **Endpoint Health** section gives a snapshot of the health status of organization’s endpoints. It shows whether an endpoint is healthy, unhealthy, or offline. Currently, 2 endpoints are listed, with 1 healthy and 1 offline. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/PzndyJ0iXxQQPlUw-image.png) 3. **Endpoint OS Type Distribution** - This section breaks down the operating system types of the endpoints across the network. It helps identify the diversity of operating systems in organization. For instance, 1 endpoint is running Windows, and another is using Linux. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/yEzNtfl2VRjzgg1T-image.png) 4. **Endpoint List** - The **Endpoint List** section shows detailed information about each endpoint within a network. This includes the endpoint name, security status, IP address, MAC address, version, health status, and when it was last seen. At the moment, there are no alerts for compromised or unhealthy endpoints. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/SWz1iYBnAyuR7U7j-hello-3.png) The client can also access further information if they press the eye icon, which is located at the right side of a specific endpoint on the list. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/tbh21MbApKyQaQEV-hehe-65.png) The client can select **Respond** button to **isolate the host** or **initiate a command prompt**. In this section when pressing the **Isolate Host**, a window will pop up asking for a Reason for Isolation. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/GSC7aYhhqJ43rv9O-hehe-68.png) In this section, the Administrator can execute a command. The main commands are Kill Process, Suspend Process, Running Process, Get File, Upload File, Scan. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/RBOjQzQopgJqaYmn-hehe-67.png) **To learn more about Execute Commands, Please Refer to this Link: [AQUILA EDR - Execute C... | AQUILA Documentations](https://usdc-docs.cytechint.io/books/aquila-edr-installation/page/aquila-edr-execute-command-and-response-actions)** 5. **Search Bar** - The **Search Bar** provides an easy way to quickly search for a specific endpoint by its name, IP address, security status, or health. This helps streamline navigation, especially when dealing with a large number of endpoints. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/A0XKBs1eSewufcLh-image.png) 6. **Install Endpoint** - To add new endpoints to the system, click the **Install Endpoint** button. This will start the process of onboarding new devices into a network, allowing them to be tracked and secured like the existing endpoints. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/EuzmxKPD01vg0BxP-hehe-64.png) #### **Control Panel** In the **Control Panel**, you can manage various security settings and configurations for your organization’s endpoints. This section gives you access to several tools for managing **Policies, Manage Endpoints, Trusted Applications, Event Filters, Host Isolation Exception** and **Blocklist**. The control panel helps streamline the process of securing and monitoring endpoints, providing easy access to the most critical settings. ##### **Policy Settings**In the **Policy Settings Page**, you can view and manage organization’s security policies. This includes configuring protection levels for various types of threats, such as malware, ransomware, memory threats, and malicious behavior. Currently, all protection policies are enabled with options to either detect or prevent these security risks across supported operating systems (Windows, Mac, Linux).
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/tGAWSr1MFGI6RKQf-hehe-69.png) [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/ls7Ohuq7wO6m5oVA-image.png) [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/RYK4glZBVov7nWmV-image.png) 1. **Policy Settings Overview** - In the **Policy Settings** section, you can manage and view all the security policies set for your organization's endpoints. This section allows you to control and configure various protection levels for different types of security threats. Policies can be applied to endpoints based on their operating system (Windows, Mac, Linux), and enabling these policies can trigger alerts for the respective security events. 2. **Policy Settings Panel** - The **Policy Settings Panel** displays the different types of protection policies in place for your endpoints. Each policy corresponds to a specific security threat, such as malware, ransomware, memory threats, or malicious behavior. You can configure the protection level for each policy by toggling between **Detect** and **Prevent** options. Additionally, a blocklist feature can be enabled or disabled to provide further protection against unwanted software or threats. - - - **Malware Protection**: Enabled with options to Detect or Prevent. - **Ransomware Protection**: Enabled for Windows endpoints with Detect or Prevent options. - **Memory Threat Protection**: Enabled for all operating systems (Windows, Mac, Linux) with Detect or Prevent options. - **Malicious Behavior Protection**: Enabled for all operating systems (Windows, Mac, Linux) with the same detection or prevention options. - Each policy has a toggle switch to enable or disable protection for the corresponding threat, and these settings can be easily modified according to your needs. ##### **Manage Endpoints**In the **Manage Endpoints Page**, you can easily isolate, delete, or add new endpoints to your system. This section provides a quick overview of all your endpoints, including details like the endpoint name, last seen time, operating system, and status. Currently, all protection policies are enabled with options to either detect or prevent security risks across the endpoints in your system.
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/umUHppm7GqHIwog0-hehe-70.png) - **Manage Endpoints Overview** - - In the **Manage Endpoints Page**, you can easily isolate, delete, or add new endpoints to your system. This section provides a quick overview of all your endpoints, including details like the endpoint name, last seen time, operating system, and status. - **Endpoint List and Actions** - This section displays a list of all endpoints currently in your network. Each endpoint entry shows the following details: - **Endpoint Name**: Identifies the device in the system. - **Last Seen**: Indicates when the endpoint was last connected to the network. - **Operating System**: Displays the OS of the endpoint (e.g., Linux, Windows). - **Status**: Shows whether the endpoint is currently online or offline. - Each endpoint can be acted upon with available options, such as isolating the host (for security reasons) or uninstalling it from the system. Currently, all endpoints listed are marked as offline. - **Search Endpoint** - The **Search Endpoint** bar at the top allows you to quickly locate specific endpoints in your system by searching for their names or other attributes. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/xXBHtNFkKk2aaQCO-image.png) - **Install Endpoint** - To add new endpoints to your network, click the **Install Endpoint** button. This will allow you to initiate the process of registering new devices to be tracked and managed within your system. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/XLHwJ8GL1ho8Urs2-hehe-71.png)To update an Endpoint, please refer to this document: [CyTech AQUILA - Cyber ... | AQUILA Documentations](https://usdc-docs.cytechint.io/books/security-automation-soc-optimization-tOO/page/cytech-aquila-agent-mass-update-function) Thank you.
##### **Trusted Application Page****In the Trusted Application Page**, you can see an overview of your organization's trusted applications. This section includes the names of the applications, their descriptions, and the last updated time. Currently, there are several trusted applications listed, such as "AQUILA Agent Exception" and "test app2."
- **The Trusted Application Overview** - This provides a list of the currently trusted applications along with their descriptions and the most recent updates. These applications are categorized by the name of the application and a brief description of their purpose. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/1uaJauHbx0tzgWvL-hehe-72.png) - **The Application Details Table** - It displays additional details, including the application name, description, and the timestamp of the last update. This table helps you track which applications are trusted and their associated descriptions. You can also update or remove any trusted application from this section. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/7liwdHOAaHIobh5x-hehe-74.png) - **Add Trusted Application** - This popup allows users to input the **Name** and **Description** of the trusted application. Additionally, it includes a **Conditions** section where you can select an operating system and specify conditions using fields, operators, and values. At the bottom, there are two buttons: **Add Trusted Application** to confirm the addition and **Cancel** to discard the action. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/mZsmLLWFOJtCf76l-hehe-73.png) ##### **Event Filters Page****In the Event Filters Page**, you can assign or manage event filters that define which events should be tracked for your endpoints. Currently, there are no event filters assigned to any of the endpoints, as the section shows the message "No Assigned Event Filters."
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/Dz1zNZWT57JrYfbu-hehe-75.png) **Event Filters** - - **The Assign Events Filters Option** allows you to easily configure and apply filters to events, helping you focus on specific types of activities or behaviors across your endpoints. This will enable you to narrow down the event logs to show only relevant information. **The Empty Event Filter Status** - - It shows that no filters have been assigned yet, but it provides a clear call-to-action to add event filters. **Assign Event Filters** - - This section allows users to configure filters that exclude high volume or unwanted events from being written to the EDR (Endpoint Detection and Response) system. It includes fields for the **Name** and **Description** of the event filter, both of which can be filled out with relevant details. Below that, the **Conditions** section lets you select an operating system and apply specific conditions using **Field**, **Operator**, and **Value** to filter events based on certain criteria. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/YOwJd6qb6mgnOJVO-hehe-76.png) ##### **Host Isolation Exception Page****In the Host Isolation Exception Page**, you can see the list of exceptions that allow isolated endpoints to connect to specific IP addresses. This section displays the names of the exceptions, their descriptions, and the most recent update times.
- **The Host Isolation Exception Overview** - This gives you the ability to manage exceptions made to the host isolation policy. Here, you can track any exceptions, that have been made to allow endpoints to access certain IPs. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/ksyMCZ5PbAjgVUd4-hehe-77.png) - **The Exception Details Table** - It lists the exception names, descriptions, and the timestamp of when they were last updated. You can use this table to manage and modify these exceptions, ensuring proper access while maintaining security policies. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/nCnZR8LO3Jyl1jkm-hehe-78.png) - **Add Host Isolation Exception.** - This popup allows users to create exceptions for isolated hosts, enabling them to connect to specific IP addresses. It includes fields for the **Name** of the exception and an optional **Description** to provide additional details. Under **Conditions**, there is a field labeled **Enter IP Address**, where users can specify the IP addresses (IPv4, with optional CIDR) to which the isolated hosts are allowed to connect. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/a5WBYOcJwXxqZtO6-hehe-79.png) ##### **Blocklist**The **Blocklist** page allows you to manage applications that are restricted from running on your endpoints, preventing specified applications from being executed. The page displays a list of blocklisted applications, including their names, descriptions, and the time when each blocklist entry was last updated.
1. **Blocklist Overview** - This section provides an overview of all the blocklist entries. For example, you can view blocklist entries like **Notepad Block - Test**, which prevent specific applications from running on isolated systems, ensuring security is maintained. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/MaVb7d7U7Ofvo3a4-hehe-80.png) 1. **Blocklist Details Table** 1. The **Blocklist Details Table** provides detailed information about each entry, displaying the name of the application, description for additional context, and the time it was last updated. This table allows you to view and manage the entries, ensuring they align with your security policies. You can track the status of each entry and modify them as necessary to maintain proper access control and prevent unwanted applications from running. 2. **Add Blocklist Entry** - When adding a new blocklist entry, a popup window appears allowing you to set up the entry. In this window, you can enter the **Name** of the entry and an optional **Description**. You can also define the **Conditions** by specifying the application and other criteria that should be blocked on your endpoints. [](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/7Q5V3XNWa1owLwHR-hehe-81.png) *If you need further assistance, kindly contact our support at **[support@cytechint.com](mailto:info@cytechint.com)** for prompt assistance and guidance.* # CyTech AQUILA - Security Orchestration, Automation, and Response (SOAR) #### **Overview:** The **SOAR** module helps streamline and enhance security operations by automating responses to security alerts and orchestrating workflows across various tools and systems. It allows for faster incident detection, response, and resolution, ensuring your security team can effectively handle a wide range of incidents without manual intervention. #### **Key Features:** - **Mean Time to Detect:** Displays the average time taken to detect security incidents. Monitoring this metric helps evaluate the efficiency of the system in identifying potential threats. - **Mean Time to Respond:** Tracks the average time required to respond to an incident after it has been detected. This metric ensures that your team is responding quickly to mitigate risks. - **False Positive Rate:** Measures the percentage of alerts that are determined to be false positives. Monitoring this helps reduce unnecessary responses and fine-tune detection rules. - **Total Number of Open Alerts:** Shows the current number of active alerts. This data is crucial for understanding the workload of the security team and prioritizing incident handling. - **Alerts Resolved:** Indicates the total number of alerts that have been resolved, helping track the effectiveness of your response efforts and overall security performance. - **Incident Type by Status:** Provides a breakdown of incidents by their current status (open, in-progress, pending, or closed). This helps track the progress of ongoing investigations and responses. - **Open Alerts Table:** Displays a list of open alerts with detailed information such as alert ID, timestamp, rule name, risk score, and severity. This table allows security teams to prioritize alerts and manage responses efficiently. #### **Pre-requisites** 1. **Access to CyTech - AQUILA** - Only users assigned the **"Owner"** or **"Admin"** role can access the Control Panel page within this module.**To navigate to SOAR Module please follow the instructions below:**
**Note: The name of your Endpoint is using the name of your Personal Computer (PC).**
[](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2026-01/U5M1OurakBQg9l9M-hehe-4.png) Or the client can access the endpoint in the "**Control Panel**" as well to isolate it or uninstall the Endpoint Detection and Response (EDR) but be wary, **Endpoint Detection and Response (EDR)** is a separate application process of the AQUILA Agent Endpoint therefore do not uninstall the **Endpoint Detection and Response (EDR).** If the client decides to uninstall it, please contact ***| **Protection Type ** | **OS Support ** | **Detect ** | **Prevent** | **Description ** |
| **Malware ** | Windows, macOS, Linux | ✅ | Blocks known malicious executables and scripts at runtime. | |
| **Ransomware ** | Windows | ✅ | Detects rapid file changes and unauthorized encryption activity. | |
| **Memory Threats ** | Windows, macOS, Linux | ✅ | Prevents memory-based attacks like process injection or ROP chains. | |
| **Malicious Behavior ** | Windows, macOS, Linux | ✅ | Stops suspicious techniques such as abnormal child processes or LOLBins. | |
| **Credential Hardening ** | Windows | Enabled | Protects credentials by preventing unauthorized LSASS access. |
| **Event Type ** | **Windows ** | **macOS ** | **Linux ** | **Description ** |
| **API ** | ✅ | – | Logs sensitive API calls that may indicate injection or system tampering. | |
| **DLL & Driver Load ** | ✅ | – | Captures DLL/driver loading to detect unsigned or malicious code injection. | |
| **DNS ** | ✅ | – | Records DNS queries/responses to spot C2, tunneling, or data exfiltration. | |
| **File ** | ✅ | ✅ | ✅ | Monitors file creation, deletion, and modification to detect malware or ransomware. |
| **Network ** | ✅ | ✅ | ✅ | Logs connections, ports, and protocols to uncover C2 traffic or lateral movement. |
| **Process ** | ✅ | ✅ | ✅ | Tracks process execution, parent/child relationships, and suspicious spawns. |
| **Registry ** | ✅ | – | – | Detects persistence or tampering with critical Windows registry keys. |
| **Security ** | ✅ | – | – | Captures login attempts, privilege changes, and policy modifications. |
| **Event Type ** | **Description ** | **Use Case ** | **Example ** |
| **API Events** | Capture system-level API calls made by processes. These events show how applications interact with the OS, libraries, and security-sensitive functions. | Detect process injection, privilege escalation, exploitation attempts, or use of unusual APIs by non-standard processes. | A Microsoft Office process (WINWORD.EXE) invokes VirtualAllocEx and WriteProcessMemory to inject code into another process. |
| **DLL & Driver Load Events** | Record the loading of DLLs into user processes and drivers into the OS kernel. Includes path, signature status, and process context. | Detect unsigned or suspicious DLLs/drivers, DLL search order hijacking, and kernel-level rootkits. | An unsigned driver is loaded during system boot, or a legitimate app loads a DLL from a non-standard directory. |
| **DNS Events ** | Log all DNS lookups and responses, showing which domains are queried and by which process. | Detect C2 callbacks, malware beaconing, DNS tunneling, and suspicious domain resolution. | A process repeatedly queries random subdomains of example\[.\]com, suggesting DGA (Domain Generation Algorithm) use. |
| **File Events ** | Monitor file activity: creation, modification, deletion, renaming, and read access. Includes metadata like file path, hash, and process context. | Detect ransomware encryption, malware staging (dropping executables), tampering with sensitive files, or unauthorized access. | A process writes multiple .encrypted files in rapid succession in a user’s documents folder. |
| **Network Events** | Capture TCP/UDP connections, ports, IPs, protocols, and process responsible. | Detect outbound connections to malicious infrastructure, lateral movement inside a network, or data exfiltration attempts. | PowerShell initiates a connection to a known malicious IP over port 443 with unusual payload size. |
| **Process Events** | Record process lifecycle: creation, termination, parent-child relationships, command-line arguments, and integrity info. | Detect abnormal parent-child chains, privilege escalation, process hollowing/injection, and script-based attacks. | explorer.exe launches powershell.exe with a Base64-encoded command to download a payload. |
| **Registry Events** | Log modifications to Windows Registry, including key creation, deletion, and value changes. | Detect persistence mechanisms, system tampering, and security feature bypasses. | Malware creates HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\malware.exe for auto-start persistence. |
| **Security Events ** | Record security-related activity: authentication attempts, user/group changes, privilege assignments, and policy alterations. | Detect brute force attacks, privilege abuse, unauthorized access, and security control disabling. | Multiple failed login attempts followed by a successful login with a privileged account. |
| **DLP Purpose** | **Description** | **DLP Detect** |
|---|---|---|
| **Identify Sensitive Data** | Finds confidential or regulated information (PII, PHI, PCI, IP). | Recognizes sensitive data using patterns, keywords, regex, file classification, or ML. |
| **Protect Against Data Breaches** | Reduces risk from insiders, malware, or accidents. | Alerts on anomalous access or large data movement. |
| **Enforce Security Policies** | Ensures compliance with regulations (GDPR, HIPAA, PCI). | Detects policy violations automatically. |
| **Control Data Flow** | Manages how data moves inside/outside the network. | Detects data movement patterns and unauthorized destinations. |
| **Provide Visibility & Reporting** | Offers logs and insights for audits/investigations. | Detects events and logs all data-related activities. |
| **Category / Purpose** | **Description** | **Detect** |
|---|---|---|
| **Identify System Weaknesses** | Finds flaws in software, or configurations that attackers could exploit. | Scans for outdated software, missing patches, known CVEs. |
| **Assess Security Posture** | Evaluates how secure an environment is against threats. | Runs vulnerability assessments, baseline checks, and compliance scans. |
| **Continuous Monitoring** | Ongoing observation for new or emerging vulnerabilities. | Uses automated scanning, SIEM alerts, threat intelligence feeds. |
| **Risk Prioritization** | Determines which vulnerabilities are most dangerous. | Rates vulnerabilities using CVSS scores and exploit likelihood. |
| Aspect | Elastic Security | CrowdStrike Falcon | Microsoft Defender for Endpoint | SentinelOne Singularity | Bitdefender GravityZone |
|---|---|---|---|---|---|
| **AV-Comparatives 2025 Protection Rate (Real-World + Malware Tests – Full Year Consistency)** | **100% across both cycles** – Only vendor with flawless, unwavering 100% in both categories throughout 2025 (zero compromises) | 99.3% (allowed some compromises in cycles) | 99.1% (allowed compromises) | Not fully in main 2025 Business series (strong elsewhere) | Near-top but not consistent 100% streak |
| **Key 2025 AV-Comparatives Win** | Sole vendor standing: Perfect scores in Real-World (e.g., 461/461 blocked) & Malware – Consistent clean sweep confirmed | Solid but dipped below 100% in key tests | Solid but dipped below 100% | Excellent in other evals, but not the year-long 100% holder | High performer, but Elastic took the consistency crown |
| **Gartner Magic Quadrant 2025 Position** | Not in Leader quadrant (more niche/observability-integrated play) | **Leader** (top for vision & execution) | **Leader** | **Leader** | Visionary / Strong |
| **Gartner Peer Insights Rating (Recent)** | 4.6/5 (smaller review base) | 4.7/5 (3000+ reviews – massive user love) | 4.4/5 (strong Microsoft ecosystem) | 4.7/5 (top-tier automation) | 4.8/5 (excellent value/satisfaction) |
| **MITRE ATT&CK / EPR 2025** | 99.3% effectiveness in EPR (outscored some on detection/response) | 100% in prior rounds, strong but not always top in every metric | Strong integration, but varies | High automation, often elite | Strong prevention |
| **Core Strengths (Elastic Lens)** | **Unmatched prevention consistency** + seamless SIEM/observability integration (ELK stack power for hunting/investigation) – No compromises in tests | Elite AI-driven EDR/XDR, managed hunting, breach prevention king | Deep Windows/Microsoft stack integration, cost-effective bundling | Autonomous AI response, rollback features | Lightweight, top user ratings, balanced prevention |
| **Where Elastic Pulls Ahead** | Pure block rate perfection in AV-Comparatives – If zero misses matter most, Elastic delivered where others didn't | Broader XDR/managed services dominance | Ecosystem lock-in wins for MS shops | Automation kings | Value/performance champ |
| **Potential Drawbacks** | Smaller standalone EDR footprint, setup complexity if not in Elastic ecosystem | Premium pricing, occasional ecosystem lock-in | Non-Windows gaps, occasional misses in tests | Pricing for scale | Less XDR breadth |
| **Best Fit** | Orgs prioritizing **flawless prevention + deep analytics/hunting** (Elastic users win big) | High-risk enterprises wanting top-tier managed EDR | Microsoft-heavy environments | Auto-response heavy setups | Balanced, lightweight needs |
**To navigate to EDR Module please follow the instructions below:**