You can track incidents, assign analysts to investigate, and document the resolution.
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all actions taken by analysts in the incident, see Monitor Administrative Activity.
Use the following steps to investigate an incident:
- From theIncidentstable, locate the incident you want to investigate.There are several ways you can filter or sort incidents:
After you locate an incident you want to investigate, right-click it and selectView Incident.TheIncidentdetails page aggregates all alerts, insights, and affected assets and artifacts from those alerts in a single location. From the Incident details page you can manage the alert and investigate an event within the context and scope of a threat. Select the pencil icon to edit the incident name and description.
- In theStatuscolumn forNewincidents to view only the incidents that have not yet been investigated.
- In theSeveritycolumn, identify the incidents with the highest threat impact.
- In theIncident Sourcescolumn, filter according to the sources that raised the alerts which make up the incident.
- Assign an incident to an analyst.Select the assignee (orUnassignedin the case of a new incident) below the incident description and begin typing the analyst’s email address for automated suggestions. Users must have logged into the app to appear in the auto-generated list.
- Assign an incident status.Select the incident status to update the status fromNewtoUnder Investigation, orResolvedto indicate which incidents have been reviewed and to filter by status in the incidents table.
- Review the details of the incident, such as alerts and insights related to the event, and affected assets and artifacts.
- InvestigateKey Artifacts.Key Artifactslist files and file hashes, signers, processes, domains, and IP addresses that are related to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts alerts intoIncidentsbased on the key artifacts. Different key artifacts have different weights according to their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to determine which incident has the highest correlation with the alert, and the Cortex XDR app groups the alert with that incident.The app also displays any available threat intelligence for the artifact. TheThreat Intelligencecolumn in theKey Artifactspanel lists the WildFire (WF) verdicts associated with each artifact and identifies any malware with a red malware icon.To analyze the WildFire report, see Review WildFire Analysis Details.Right-click a file or process underKey Artifactsto view the entire artifact report from the threat intelligence source.
- Add to Allow List. Artifacts added to the allow list are displayed with
- Add to Block List. Artifacts added to the block list are displayed with
- InvestigateKey Assets.Key Assetsidentify the scope of endpoints and users affected by the threat. Right-click an asset toFilter Alertsby that asset.
- InvestigateAlerts.Incidents are created through high or medium severity alerts. Low severity Analytics alerts sometime also create an incident. Low and informational severity alerts are categorized as Insights and are available on theInsightstab. In the incident, review the alerts and, if additional context is required, review the related insights. You can also view high, medium, and low severity alerts in the main Alerts table.During your investigation, you can also perform additional management of alerts, which include:
- (Optional) Take action on the incident.
- Change the incident severity.The default severity is based on the highest alert in the incident. To manually change the severity selectand choose the new severity. The smaller severity bubble indicates the original severity.ActionsChange Incident Severity
- Change the incident status.Selectto update the status fromActionsChange Incident StatusNewtoUnder Investigation.
- Create an exclusion.Selectto pivot to theActionsCreate ExclusionCreate New Exclusionpage.
- Merge incidents.To merge incidents you think belong together, select. Enter the target incident ID you want to merge the incident with. Incident assignees are managed as follows:ActionsMerge Incidents
- If both incidents have been assigned—Merged incident takes the target incident assignee.
- If both incidents are unassigned—Merged incident remains unassigned.
- If the target incident is assigned and the source incident unassigned —Merged incident takes the target assignee
- If the target incident is unassigned and the source incident is assigned—Merged incident takes the existing assignee
- Track and share your investigation progress.Add notes or comments to track your investigative steps and any remedial actions taken.
- Select the Incident Notepad ( ) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.
- Use the comments to coordinate the investigation between analysts and track the progress of the investigation. Select the comments to view or manage comments.Collapse the comment threads for an overview of the discussion.If needed,Searchto find specific words or phrases in the comments.
- Resolve the incident.After the incident is resolved:
- Set the status toResolved.Select the status from the Incident details or select.ActionsChange Incident Status
- Select the reason the resolution was resolved.
- Add a comment that explains the reason for closing the incident.
- SelectOK.The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming alerts to a new incident.
Recommended For You
Recommended videos not found.