Investigate Incidents

You can track incidents, assign analysts to investigate, and document the resolution.
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all actions taken by analysts in the incident, see Monitor Administrative Activity.
Use the following steps to investigate an incident:
  1. Select
    Incidents
    .
  2. From the
    Incidents
    table, locate the incident you want to investigate.
    There are several ways you can filter or sort incidents:
    • In the
      Status
      column for
      New
      incidents to view only the incidents that have not yet been investigated.
    • In the
      Severity
      column, identify the incidents with the highest threat impact.
    • In the
      Incident Sources
      column, filter according to the sources that raised the alerts which make up the incident.
    After you locate an incident you want to investigate, right-click it and select
    View Incident
    .
    incident-investigation-endpoint.png
    The
    Incident
    details page aggregates all alerts, insights, and affected assets and artifacts from those alerts in a single location. From the Incident details page you can manage the alert and investigate an event within the context and scope of a threat. Select the pencil icon to edit the incident name and description.
  3. Assign an incident to an analyst.
    Select the assignee (or
    Unassigned
    in the case of a new incident) below the incident description and begin typing the analyst’s email address for automated suggestions. Users must have logged into the app to appear in the auto-generated list.
  4. Assign an incident status.
    Select the incident status incident-status-new.png to update the status from
    New
    to
    Under Investigation
    to indicate which incidents have been reviewed and to filter by status in the incidents table.
  5. Review the details of the incident, such as alerts and insights related to the event, and affected assets and artifacts.
    • Investigate
      Key Artifacts
      .
      Key Artifacts
      list files and file hashes, signers, processes, domains, and IP addresses that are related to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts alerts into
      Incidents
      based on the key artifacts. Different key artifacts have different weights according to their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to determine which incident has the highest correlation with the alert, and the Cortex XDR app groups the alert with that incident.
      The app also displays any available threat intelligence for the artifact. The
      Threat Intelligence
      column in the
      Key Artifacts
      panel lists the WildFire (WF) verdicts associated with each artifact and identifies any malware with a red malware icon.
      Right-click a file or process under
      Key Artifacts
      to view the entire artifact report from the threat intelligence source.
      • View
        VirusTotal
        and
        AutoFocus
        reports.
      • Add to Whitelist
        . Artifacts added to whitelist are displayed with incident-whitelist.png
      • Add to Blacklist
        . Artifacts added to blacklist are displayed with incident-blacklist.png
    • Investigate
      Key Assets
      .
      Key Assets
      identify the scope of endpoints and users affected by the threat. Right-click an asset to filter alerts by that asset.
    • Investigate
      Alerts
      .
      Incidents are created only through high or medium severity alerts. Low and informational severity alerts are categorized as Insights and are available on the
      Insights
      tab. In the incident, review the alerts and, if additional context is required, review the related insights. You can also view high, medium, and low severity alerts in the main Alerts table.
      During your investigation, you can also perform additional management of alerts, which include:
  6. (
    Optional
    ) Change the incident severity.
    The default severity is based on the highest alert in the incident. To manually change the severity select
    Actions
    Change Incident Severity
    and choose the new severity. The smaller severity bubble indicates the original severity.
    incident-severity-manual.png
  7. Track and share your investigation progress.
    Add notes or comments to track your investigative steps and any remedial actions taken.
    • Select the Incident Notepad ( incident-note-icon.png ) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.
    • Use the comments to coordinate the investigation between analysts and track the progress of the investigation. Select the comments incident-comment-icon.png to view or manage comments.
      Collapse the comment threads for an overview of the discussion.
      If needed,
      Search
      to find specific words or phrases in the comments.
  8. Resolve the incident.
    After the incident is resolved:
    1. Set the status to
      Resolved
      .
      Select the status from the Incident details or select
      Actions
      Change Incident Status
      .
    2. Select the reason the resolution was resolved.
      incident-resolution.png
    3. Add a comment that explains the reason for closing the incident.
    4. Select
      OK
      .
      The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming alerts to a new incident.

Recommended For You