Cortex® XDR™ enables you to track and investigate incidents, assign analysts to investigate, and document the incident resolution.
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all actions taken by analysts in the incident, see Monitor Administrative Activity.
Use the following steps to investigate an incident:
- Navigate to.InvestigateIncidents
- From theIncidentstable, locate the incident you want to investigate.Filter and sort your incidents. Recommended ways include:
After you locate an incident you want to investigate, right-click it and selectView Incident.TheIncidentdetails page aggregates all alerts, insights, and affected assets and artifacts from those alerts in a single location. From the Incident details page you can manage the alert and investigate an event within the context and scope of a threat. Select the pencil icon to edit the incident name and description.
- In theStatusfield filter forNewincidents to view only the incidents that have not yet been investigated.
- In theSeverityfield, identify the incidents with the highest threat impact.
- In theIncident Sourcesfield, filter according to the sources that raised the alerts which make up the incident.
- In the timestamp fields, such asLast UpdatedandCreation Time, right-click toShow rows 30 days prioror30 days afterthe selected timestamp field value.
- Assign an incident to an analyst.Select the assignee (orUnassignedin the case of a new incident) below the incident description and begin typing the analyst’s email address for automated suggestions. Users must have logged in to the app to appear in the auto-generated list.
- Assign an incident status.Select the incident status to update the status fromNewtoUnder Investigation, orResolvedto indicate which incidents have been reviewed and to filter by status in the incidents table.
- Review the details of the incident, such as alerts and insights related to the event, and affected assets and artifacts.
- InvestigateKey Artifacts.Key Artifactslist files and file hashes, signers, processes, domains, and IP addresses that are related to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts alerts intoIncidentsbased on the key artifacts. Different key artifacts have different weights according to their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to determine which incident has the highest correlation with the alert, and the Cortex XDR app groups the alert with that incident.The app also displays any available threat intelligence for the artifact. TheThreat Intelligencecolumn in theKey Artifactspanel lists the WildFire (WF) verdicts associated with each artifact and identifies any malware with a red malware icon. If WildFire flips the file verdict, the hash verdict in the Cortex XDR incident is updated immediately. If a hash is unknown to WildFire at the time of incident creation, it remains unknown until WildFire reaches a verdict. Then, the new WildFire verdict is updated in the incident within 24 hours.If you also integrate additional threat intelligence, this section can also display VirusTotal (VT) scores and AutoFocus (AF) tags. For additional information, see External Integrations.Right-click a file or process underKey Artifactsto view the entire artifact report from the threat intelligence source.
- Add to Allow List. Artifacts added to the allow list are displayed with
- Add to Block List. Artifacts added to the block list are displayed with
- InvestigateKey Assets.Key Assetsidentify the scope of endpoints and users affected by the threat. Right-click an asset toFilter Alertsby that assetand.Open Asset Viewto display the host insights
- InvestigateAlerts.Incidents are created from high or medium severity alerts. Low severity Analytics alerts sometimes also create an incident depending on the nature of the alert. Low and informational severity alerts are categorized as Insights and are available on theInsightstab. In the incident, review the alerts and, if additional context is required, review the related insights. You can also view high, medium, and low severity alerts in the main Alerts table.During your investigation, you can also perform additional management of alerts, which include further analysis, investigation, and administrative response.
- (Optional) Take action on the incident.
- Change the incident severity.The default severity is based on the highest alert in the incident. To manually change the severity selectand choose the new severity. The smaller severity bubble indicates the original severity.ActionsChange Incident Severity
- Mange the incident score.Selectto investigate how theActionsMange Incident ScoreRule based scorewas calculated. Listed are theRule ID,Rule Name,Description,Alert IDs, and theTotal Added Scoreassociated with incident.The table displays all rules that contributed to the incident total score, including rules that have been deleted. Deleted scores appear with aN/A. You can override theRule based scoreby selectingSet score manuallyandApplythe change.
- Change the incident status.Selectto update the status fromActionsChange Incident StatusNewtoUnder Investigation.
- Create an exclusion.Selectto pivot to theActionsCreate ExclusionCreate New Exclusionpage.
- Merge incidents.To merge incidents you think belong together, select. Enter the target incident ID you want to merge the incident with.ActionsMerge IncidentsIncident scoring is managed as follows:
Incident assignees are managed as follows:
- Rule Based Scorerecalculates the incident score to include the merged incident scores.
- Manual Scoreallows to enter a score and override the rule-based score.
- If both incidents have been assigned—Merged incident takes the target incident assignee.
- If both incidents are unassigned—Merged incident remains unassigned.
- If the target incident is assigned and the source incident unassigned —Merged incident takes the target assignee
- If the target incident is unassigned and the source incident is assigned—Merged incident takes the existing assignee
- Track and share your investigation progress.Add notes or comments to track your investigative steps and any remedial actions taken.
- Select the Incident Notepad ( ) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.
- Use the comments to coordinate the investigation between analysts and track the progress of the investigation. Select the comments to view or manage comments.Collapse the comment threads for an overview of the discussion.If needed,Searchto find specific words or phrases in the comments.
- Resolve the incident.After the incident is resolved:
- Set the status toResolved.Select the status from the Incident details or select.ActionsChange Incident Status
- Select the reason the resolution was resolved.
- Add a comment that explains the reason for closing the incident.
- SelectOK.The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming alerts to a new incident.
Recommended For You
Recommended videos not found.