About Unassociated Items

Unassociated Items refer to entities in the databases that are not currently linked to any parent entity, such as an Incident, Alert, or Asset. These items remain in their respective databases, ensuring data integrity and availability for future investigations, correlations, or manual cleanup.

Types of Unassociated Items

Unassociated Items can include the following:

Assets

• Assets that are not linked to any Alerts or Incidents.
• These may represent systems that were previously involved in investigations but are no longer actively associated with any ongoing activity.

Accounts

• Accounts that are not linked to any Assets or Incidents.
• These could represent orphaned accounts or those awaiting linkage for better context in investigations.

Indicators of Compromise (IOCs)

• IOCs that are not linked to any Incidents.
• These items may still provide valuable insights for future correlations or detection mechanisms.

Alerts

• Alerts that are not associated with any Incidents or Assets.
• These can represent anomalies or threats that have not yet been triaged or categorized.

Timeline Activities

• Timeline activities represent actions or events recorded during investigations. These entries are stored in the Timeline Database and are typically created within an Incident to ensure proper tracking and organization.
  • Unassociated Timeline Activities may arise if they were incorrectly entered or if their associated Incident has been deleted.

Tasks