Getting Started
Trust CenterTourStatusPageSupport

Understanding the Run to Ground Page

Suggest Edits

Once the run to ground query loads, a page that includes an object sightings time table chart at the top and a sightings table on the bottom will be shown. The chart and the table show all original object sightings, all close sightings to the originals, as well as all variant sightings of the originals found in the run to ground query. The chart and the table show corresponding information; the sightings in the chart correspond to the sightings in the table.

Run to Ground Chart

The chart at the top of the page shows all object sightings found in the run to ground across a time table. Objects and they’re malicious likelihood are represented by shape symbols, shape size and coloring in the chart. Sightings that are very close to each other in time will be grouped together in an object sightings group circle.


Object Sightings Symbols:

Individual Close Object Sightings

  • Individual Close object sightings are represented by circles in the chart. The symbols can be either gray, yellow, or red, depending on the object sighting’s malicious likelihood. The individual object sighting is placed in the chart depending on the time it was sighted within your environment.

Original Object Sightings

  • Original object sightings are represented by a blue square in the chart. These are the sightings of the original object selected for the run to ground. The original object sightings are placed in the chart depending on the time they were sighted within your environment.

Variant Object Sightings

  • Variant object sightings to the original object are represented by a pink triangle in the chart. These are sightings of variant objects to the original object selected for the run to ground. The variant object sightings are placed in the chart depending on the time they were sighted within your environment.

Object Sightings Groups

  • In the scenario where multiple object sightings are sighted at the same time or around the same time, they may be placed into object sighting groups in the chart. Object groups are represented with a pulsating circle with a number in the center of the circle that shows the amount of sightings within the group. The coloring of the group circle represents the highest level of malicious likelihood found within the group of objects in the object group.

Time Gaps

  • Hovering over the empty chart space in between 2 object sighting groups will highlight a time gap on the chart. The green highlighted section shows the amount of time that separates the 2 object sighting groups in terms of when they were sighted in your environment.
  • Highlighting the time gap in the chart will also cause the corresponding time gap to be highlighted in the table below.

Individual Object Sighting Selection

  • Individual object sightings can be selected from the chart. Clicking on any individual object sighting on the chart will open the object’s details panel over the bottom of the chart. The panel shows details of the selected object.

Object Sightings Group Selection (Expand Group)

  • Clicking on an object sightings group in the chart will expand the group and zoom in on that specific time range to unveil all object sightings within the group.
  • When a group is expanded, the chart zooms into that specific time range in order to show the individual object sightings belonging to that group. When zoomed in, there will be a time range chip above the chart to indicate the specific time range being focused on. From the chip, you can click the back button to go back to the previous time range as well as collapse the individual objects back into its group view. You can also click the “X” dismiss button to return back to the default time range to see all object sightings/ object sighting groups in the run to ground.
  • You may continue to click into object sighting groups to expand and zoom into a specific time range to see the individual object sightings of that group until the time range narrows down to individual seconds. Once you’ve reached that limit, you will no longer be able to click into and expand object sighting groups.
  • If an object sighting group includes an original object sighting, there will be a blue square symbol to the right of the group circle to indicate its presence.
  • If an object sighting group includes a variant object sighting, there will be a pink triangle symbol to the right of the group circle to indicate its presence.
  • If an object sighting group includes both variant object sightings and original object sightings, there will be both a blue square and a pink triangle to the right of the group circle to indicate their presence.

Click and Drag to Select Specific Time Range

  • Click and drag over a specific range in the chart to select that portion of time range in the chart. When selected, the chart will zoom into the selected portion or time range to focus on all object sightings within that range. A time range chip will appear above the chart to indicate the selection of the specific time range.

Time Delta Reference Line

  • The red line that cuts the chart and lies above a specific object sighting or object sightings group is the time delta reference line. This indicates the original object that is the reference being used to calculate the time deltas across all other sightings. When selected, all other sightings’ time deltas will be calculated with the selected reference’s sighting time as the origin.
  • When there are more than one original object sighting, you will be able to select one of them to be the reference object.

Run to Ground Table

The table under the chart on the page shows all object sightings found in the run to ground across a time table in a table view. The chart and the table show corresponding information; the sightings in the chart correspond to the sightings in the table.

  • Each row represents a specific object sighting found in the run to ground and its details.
  • Each row includes the following columns of information:
    • Hash [SHA256]
    • Object type
    • File type
    • Prevalence
    • Seen at
    • Asset name
    • Time delta
    • Malicious Likelihood
    • File path
    • File name
    • File Size

Time Grap Rows

  • Time gap rows intersect specific parts of the table and the object sightings above and below it in time. The time gap rows correspond with the time gap highlights within the chart above. Hovering over a time gap row in the table will also highlight the time gap in the chart.
  • Each time gap row represents a break in time between the object sightings above and below it. The specific amount of time contained in the gap is called out within the row itself.
  • Clicking on an individual row in the table will open up the object details panel from the bottom of the page. The panel will contain details of the specific object of the sighting you clicked on.

Run to Ground Result Filters

Reference Hash Dropdown

The reference hash dropdown that sits above the chart on the run to ground page allows you to select a reference object sighting as your time delta reference. You can select from any of the original object sightings in the run to ground results.

  • By default, the earliest sighted original object sighting will be selected as the reference object sighting.
  • If there is only one original object sighting in the run to ground results, the dropdown will be disabled.

"Jump to" Dropdown

The “Jump to” dropdown allows you to select a sighting from a list of all original object sightings and variant object sightings from the run to ground and jump to it within the table. This functionality allows you to quickly focus on the specific time range where an interesting object was sighted.


Filtering Options

The filtering options panel for the run to ground results will be open by default when you are directed to the page. The panel can be hidden by clicking on the green double caret icon to the right of the opened panel.
The filterable options are:

  • Assets
  • Prevalence
  • Object type
  • Malicious likelihood

Hide Close Object Sightings

Hide close object sightings to only see all original object sightings and variant object sightings. Click to toggle on/off the “Hide close sightings/Show close sightings” button. When toggled to be hidden, the chart and table will update to only show original object sightings and variant object sightings.

Updated about 14 hours ago