Investigate Incidents

You can track incidents, assign analysts to investigate, and document the resolution.
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all actions taken by analysts in the incident, see Monitor Administrative Activity.
Use the following steps to investigate an incident:
  1. Select
    Incidents
    .
  2. From the
    Incidents
    table, locate the incident you want to investigate.
    There are several ways you can filter or sort incidents:
    • In the
      Status
      column for
      New
      incidents to view only the incidents that have not yet been investigated.
    • In the
      Severity
      column, identify the incidents with the highest threat impact.
    • In the
      Incident Sources
      column, filter according to the sources that raised the alerts which make up the incident.
    After you locate an incident you want to investigate, right-click it and select
    View Incident
    .
    incident-investigation-endpoint.png
    The
    Incident
    details page aggregates all alerts, insights, and affected assets and artifacts from those alerts in a single location. From the Incident details page you can manage the alert and investigate an event within the context and scope of a threat. Select the pencil icon to edit the incident name and description.
  3. Assign an incident to an analyst.
    Select the assignee (or
    Unassigned
    in the case of a new incident) below the incident description and begin typing the analyst’s email address for automated suggestions. Users must have logged into the app to appear in the auto-generated list.
  4. Assign an incident status.
    Select the incident status incident-status-new.png to update the status from
    New
    to
    Under Investigation
    , or
    Resolved
    to indicate which incidents have been reviewed and to filter by status in the incidents table.
  5. Review the details of the incident, such as alerts and insights related to the event, and affected assets and artifacts.
    • Investigate
      Key Artifacts
      .
      Key Artifacts
      list files and file hashes, signers, processes, domains, and IP addresses that are related to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts alerts into
      Incidents
      based on the key artifacts. Different key artifacts have different weights according to their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to determine which incident has the highest correlation with the alert, and the Cortex XDR app groups the alert with that incident.
      The app also displays any available threat intelligence for the artifact. The
      Threat Intelligence
      column in the
      Key Artifacts
      panel lists the WildFire (WF) verdicts associated with each artifact and identifies any malware with a red malware icon.
      If you also integrate additional threat intelligence, this section can also display VirusTotal (VT) scores and AutoFocus (AF) tags. For additional information, see External Integrations.
      Right-click a file or process under
      Key Artifacts
      to view the entire artifact report from the threat intelligence source.
      • View
        VirusTotal
        and
        AutoFocus
        reports.
      • Add to Allow List
        . Artifacts added to the allow list are displayed with incident-whitelist.png
      • Add to Block List
        . Artifacts added to the block list are displayed with incident-blacklist.png
      • Open Hash View
        to display detailed information about the files and processes relating to the hash.
      • Open IP Address View
        to display detailed information about the Ip address.
    • Investigate
      Key Assets
      .
      Key Assets
      identify the scope of endpoints and users affected by the threat. Right-click an asset to
      Filter Alerts
      by that asset
      and
      Open Asset View
      to display the host insights
      .
    • Investigate
      Alerts
      .
      Incidents are created through high or medium severity alerts. Low severity Analytics alerts sometime also create an incident. Low and informational severity alerts are categorized as Insights and are available on the
      Insights
      tab. In the incident, review the alerts and, if additional context is required, review the related insights. You can also view high, medium, and low severity alerts in the main Alerts table.
      During your investigation, you can also perform additional management of alerts, which include:
  6. (
    Optional
    ) Take action on the incident.
    • Change the incident severity.
      The default severity is based on the highest alert in the incident. To manually change the severity select
      Actions
      Change Incident Severity
      and choose the new severity. The smaller severity bubble indicates the original severity.
      incident-severity-manual.png
    • Change the incident status.
      Select
      Actions
      Change Incident Status
      to update the status from
      New
      to
      Under Investigation
      .
    • Create an exclusion.
      Select
      Actions
      Create Exclusion
      to pivot to the
      Create New Exclusion
      page.
    • Merge incidents.
      To merge incidents you think belong together, select
      Actions
      Merge Incidents
      . Enter the target incident ID you want to merge the incident with. Incident assignees are managed as follows:
      • If both incidents have been assigned—Merged incident takes the target incident assignee.
      • If both incidents are unassigned—Merged incident remains unassigned.
      • If the target incident is assigned and the source incident unassigned —Merged incident takes the target assignee
      • If the target incident is unassigned and the source incident is assigned—Merged incident takes the existing assignee
  7. Track and share your investigation progress.
    Add notes or comments to track your investigative steps and any remedial actions taken.
    • Select the Incident Notepad ( incident-note-icon.png ) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.
    • Use the comments to coordinate the investigation between analysts and track the progress of the investigation. Select the comments incident-comment-icon.png to view or manage comments.
      Collapse the comment threads for an overview of the discussion.
      If needed,
      Search
      to find specific words or phrases in the comments.
  8. Resolve the incident.
    After the incident is resolved:
    1. Set the status to
      Resolved
      .
      Select the status from the Incident details or select
      Actions
      Change Incident Status
      .
    2. Select the reason the resolution was resolved.
      incident-resolution.png
    3. Add a comment that explains the reason for closing the incident.
    4. Select
      OK
      .
      The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming alerts to a new incident.

Recommended For You