Manage Incidents

Investigate and manage your incidents.
The Incident view allows you track incidents, investigate incident details and take remedial action. Navigate to
Investigation
Incidents
and locate the incident you want to investigate.
To begin managing your incidents:

Review Incident List Details

To provide an summary of each incident, Cortex XDR displays the following incident details for each incident:
  • View the incident severity, score, and assignee. Select whether to you want to Star the incident.
  • View the status of the incident and when it was last updated.
  • Review the Cortex XDR incident ID and incident summary.
  • Investigate the incident assets and alert sources:
    • Review the host name associated with the incident. If there is more than one host, select the
      [+x]
      to display the additional host names.
    • Review the user name associated with the incident. If there is more than one user, select the
      [+x]
      to display the additional user names.
    • Hover over the alert source icons to display the alert source type. Select the alert source icon to display the three most common alerts that were triggered and how many alerts of each are associated with the incident.

Update Incident Details

The incident header allows you to quickly review and update your incident details.
  • Change the incident severity.
    The default severity is based on the highest alert in the incident. To manually change the severity select the severity tag and choose the new severity.
  • Add or edit the incident name.
    Hover over
    Add incident name
    and select the pencil icon to add or edit the incident name.
  • Update the incident score.
    Select the Incident Score to investigate how the
    Rule based score
    was calculated.
    In the
    Manage incident Score
    dialog, review the
    Rule ID
    ,
    Rule Name
    ,
    Description
    ,
    Alert IDs
    , and the
    Total Added Score
    associated with incident. The table displays all rules that contributed to the incident total score, including rules that have been deleted. Deleted scores appear with a
    N/A
    .
    Override the
    Rule based score
    by selecting
    Set score manually
    and
    Apply
    the change.
  • Assign an incident.
    Select the assignee (or
    Unassigned
    ) and begin typing the assignee’s email address for automated suggestions. Users must have logged in to the app to appear in the auto-generated list.
  • Assign an incident status.
    Select the incident status to update the status to either
    New
    ,
    Under Investigation
    , or
    Resolved
    to indicate which incidents have been reviewed and to filter by status in the incidents table.
    When setting an incident to
    Resolved
    , select the reason the resolution was resolved.
  • Merge incidents.
    To merge incidents you think belong together, select the ellipsis icon,
    Merge Incidents
    and enter the target incident ID you want to merge the incident with.
    Incident scoring is managed as follows:
    • Rule Based Score
      recalculates the incident score to include the merged incident scores.
    • Manual Score
      allows to enter a score and override the rule-based score.
    Incident assignees are managed as follows:
    • If both incidents have been assigned—Merged incident takes the target incident assignee.
    • If both incidents are unassigned—Merged incident remains unassigned.
    • If the target incident is assigned and the source incident unassigned —Merged incident takes the target assignee
    • If the target incident is unassigned and the source incident is assigned—Merged incident takes the existing assignee
  • Create an exclusion.
    Select the ellipsis icon,
    Create Exclusion
    and enter the
    Policy Name
    . Select the alerts to include in the policy by filtering the
    Alert
    table and
    Create
    the exclusion.
  • Review Cortex XDR remediation suggestions.
    Select the ellipsis icon to open the
    Remediation Suggestions
    dialog.
  • Review the incident assets.
    Review the number of alerts, alert sources, hosts, users, and wildfire hits associated with the incident. Select
    Hosts
    ,
    Users
    , and
    Wildfire Hits
    to display the asset details.
  • Track and share your investigation progress.
    Add notes or comments to track your investigative steps and any remedial actions taken.
    • Select the Incident Notepad ( ) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.
    • Use the Incident Messenger ( ) to coordinate the investigation between analysts and track the progress of the investigation. Select the comments to view or manage comments.
      If needed,
      Search
      to find specific words or phrases in the Notepad and Messenger.

Investigate Incident Overview

The incident
Overview
tab displays the MITRE tactics and techniques, summarized timeline, and interactive widgets that visualize the number of alerts, type of sources, hosts, and users associated with the incident.
The Overview tab supports Advanced View for incidents created after Cortex XDR 3.0. Incidents created before Cortex XDR 3.0, are displayed in a Legacy view. To enable flexibility, you can select to display incidents created after Cortex XDR 3.0 Cortex using either the
Legacy view
or
Advanced view
.
  • Review the incident MITRE tactics and techniques widget.
    Cortex XDR displays the number of alerts associated with each tactic and technique. Select the centered arrow at the bottom of the widget to expand the widget and display the sub-techniques. Hover over number of alerts to display a link to the MITRE ATT&CK official site.
    In some cases the number of alerts associated with the techniques will not be aligned with the number of the parent tactic because of missing tags or in case an alert belongs to several techniques.
  • Review the summarized timeline.
    The summarized
    Timeline
    displays the timestamp of following four type of actions that occurred in the incident:
    • When the incident was created.
    • When the incident was assigned.
      If the incident assignee was changed, the action is marked in blue. Select the action to display the history.
    • When the last alert was added to the incident.
    • When the incident was resolved.
  • Investigate information about the
    Alerts
    ,
    Sources
    ,
    Hosts
    , and
    Users
    associated with the incident.
    • In the
      Alerts
      widget:
      • Select
        Show More
        to pivot to the
        Alerts & Insights
        table.
      • Review the
        Total
        number of alerts and the pie chart separated according to the alert severity. Select the severity tag to pivot to the
        Alerts & Insights
        table filtered according to the selected severity.
    • In the
      Sources
      widget:
      • Select
        Show More
        to pivot to the
        Alerts & Insights
        table.
      • Select each of the alert source types to pivot to the
        Alerts & Insights
        table filtered according to the selected alert source.
    • In the
      Hosts
      widget:
      • Select
        Show More
        to pivot to the
        Key Assets and Artifacts
        tab.
      • Select the host names to display the Details panel. The panel is only available for hosts with Cortex XDR agent installed and displays the host name, whether it’s connected, along with the
        Endpoint Details
        ,
        Agent Details
        ,
        Network
        , and
        Policy information
        . Use the available actions listed in the top right-hand corner to take remedial actions.
    • In the
      Users
      widget:
      • Select
        Show More
        to pivot to the
        Key Assets and Artifacts
        tab.
      • Review Users that are marked as Featured.

Investigate Incident Timeline

The incident
Timeline
tab is a chronological representation of alerts and actions relating to the incident.
To begin investigating:
  • Navigate to the
    Timeline
    tab and filter the actions according to following action types:
    • All
      actions
    • Alerts
    • Response Actions
    • Incident Management Actions
    • Automatic Incident Updates
  • Investigate timeline entry.
    Each timeline entry is a representation of a type of action that was triggered in the alert. Alerts that include the same artifacts are grouped into one timeline entry and display the common artifact in an interactive link. Depending on the type of action, you can select the entry, host names, and artifacts to further investigate the action:
    • Locate the action you want to investigate:
      • Response and Management Actions ( )—Add and view comments relating to this action.
      • Alert and Automatic Updates ( )—Display the Details panel. In the panel, navigate to the
        Alerts
        tab to view the Alerts table filtered according to the Alert ID, the
        Key Assets
        to view a list of
        Hosts
        and
        Users
        associated to the alert, and an option to add
        Comments
        .
    • Select the Host name to display, if available, the endpoint data.
    • Select the Artifact to display the following type of information:
      • Hash Artifact—Displays the
        Verdict
        ,
        File name
        , and
        Signature status
        of the hash value. Select the hash value to view the
        Wildfire Analysis Report
        ,
        Add to Block list
        ,
        Add to Allow list
        and
        Search file
        .
      • Domain Artifact—Displays the
        IP address
        and
        VT score
        of the domain. Select the domain name to
        Add to EDL
        .
      • IP Address—Display whether the IP address is
        Internal
        or
        External
        , the
        Whois
        findings, and the
        VT score
        . Expand
        Whois
        to view the findings and
        Add to EDL
        .
    • In action entries that involved more artifacts, expand
      Additional artifacts found
      to further investigate.

Investigate Incident Alerts and Insights

The
Alerts & Insights
tab displays a table of the alerts and insights associated with the incident.
  • Navigate to the
    Alerts & Insights
    tab.
  • Filter the
    Alerts
    and
    Insights
    tables as you would in the dedicated Cortex XDR pages.
  • Select an alert or insight to display the corresponding Details panel. The panel displays the following alert details, if available:
    • Alert
      • Alert name, severity, alert source, and rule name
      • General
      • MITRE ATT&CK
      • Host
      • Rule
      • Network Connections
    • Insight
      • Insight name, type, source, and description
      • General
      • MITRE ATT&CK
      • Host
      • Rule
      • Process Execution
    Use the available actions listed in the top right-hand corner to take remedial actions.

Investigate Incident Key Assets and Artifacts

The
Key Assets & Artifacts
tab displays all the incident asset and artifact information of hosts, users, and key artifacts associated with the incident.
  • Navigate to the
    Key Assets & Artifacts
    tab.
  • Investigate artifacts.
    In the
    Artifacts
    section, search for and review the artifacts associated with the incident. Each artifact displays, if available, the following artifact information and available actions according to the type of artifact; File, IP Address, and Domain.
    File Artifact
    • File Details
      • File name
      • SHA256 value
      • Number of alerts in the incident that include the file
      • Signature status and signer
      • WildFire Report. Select to view the
        Wildfire Analysis Report
        .
      • AutoFocus (AF) tags. Select the tag to display the
        Source
        ,
        Tag Class
        , and
        Description
        .
      • VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
      • Number of alerts in the incident that include the file according to severity
    • Ellipses File Actions
      • Open in Quick Launcher
      • Go to VirusTotal
      • Go to AutoFocus
      • Search File on all Endpoints
      • Open Hash View
      • View Related Alerts
      • Add to Block List
      • Add to Allow List
    IP Address Artifact
    • IP Address Details
      • IP Address value and name
      • Number of alerts in the incident that include the IP address
      • Whether the IP address in
        External
        or
        Internal
        .
      • Whois information. Hover to display the
        Net Range
        ,
        Registered Date
        ,
        Registered name
        ,
        Organization
        ,
        Updated Date
        details.
      • VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
      • Number of alerts in the incident that include the IP address according to severity
    • Ellipsis IP Address Actions
      • Open in Quick Launcher
      • Go to VirusTotal
      • Open IP View
      • View Related Alerts
      • Add to EDL
    Domain Artifact
    • Domain Details
      • Domain name and IP Address
      • Number of alerts that include the domain
      • VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
      • Number of alerts that include the domain according to severity
    • Ellipsis Domain Actions
      • Go to VirusTotal
      • Open IP View
      • View Related Alerts
      • Add to EDL
  • Investigate hosts.
    In the
    Hosts
    section, search for and review the hosts associated with the incident. Each host displays, if available, the following host information and available actions:
    • Host Details
      • Icons representing whether a Cortex XDR Agent is installed on the host and the operating system platform. A green icon indicates the host is connected.
      • Host Name
      • IP address associated with the host.
      • Number of alerts that include the host according to severity.
    • Ellipsis Host Actions
      You can choose to perform an action on multiple hosts by marking the entries you want to include or
      Select All
      .
      • Security Operations > Isolate Endpoint, Initiate Malware Scan, Retrieve Endpoint Files, Initiate Live Terminal
      • Open in Quick Launcher
      • Open Asset View
      • View Related Alerts
    To further investigate the host:
    Select the host name to display the Details panel. The panel is only available for hosts with Cortex XDR agent installed and displays the host name, whether it’s connected, along with the
    Endpoint Details
    ,
    Agent Details
    ,
    Network
    , and
    Policy information
    details. In addition, you can perform the available actions listed in the top right-hand corner.
  • Investigate users.
    In the
    Users
    section, search for and review the users associated with the incident. Each user displays, if available, the following user information and available actions:
    • User Details
      • User Name
      • Whether the user is Featured
      • Active Directory and Organization Unit names. Hover to display the if the name is an Active Directory or OU.
      • Workday icon. Hover to display the Workday information.
      • Number of alerts that include the user according to severity.
    • Ellipsis User Actions
      • View Related Alerts
      • Open User View

Investigate Incident Executions

The
Executions
tab displays all the alert causality chains associated with the incident. The causality chains are aggregated according to following type of groupings:
  • Host Name
    • Host with a Cortex XDR agent installed
    • Host without a Cortex XDR agent installed
    • Multiple Hosts
    • Undetected Host
  • User Name
    • Username
    • Multiple Users
    • Undetected Users
  • Cloud related alerts are displayed in the User Name grouping.
  • Prisma Cloud Compute alerts are displayed in the Host Name grouping.
  • Navigate to the
    Executions
    tab.
  • Investigate the host causality chains.
    In the
    Executions
    section, search for and review the hosts associated with the incident. Each host displays, if available, the following host information and available actions:
    • Execution Details
      • Icons representing whether a Cortex XDR Agent is installed on the host and the operating system platform. A green icon indicates the host is connected.
      • Host Name
      • IP address associated with the host.
      • Alert Sources associated with this host.
      • Number of alerts that include the host according to severity.
    • Ellipsis Execution Actions
      Select the ellipsis to perform the following action on the host:
      • Security Operations > Isolate Endpoint, Initiate Malware Scan, Retrieve Endpoint Files, Initiate Live Terminal
      • Open in Quick Launcher
      • Open Asset View
      • View Related Alerts
  • Investigate a causality chain.
    The causality chains are listed according to the Causality Group Owner (CGO), expand the CGO card you want to investigate. Each CGO card displays the CGO name, the following CGO event details, and the causality chain:
    • CGO Name
    • Alert Sources associated with the entire causality chain
    • Execution time of the causality chain
    • Number of alerts that include the CGO according to severity.
    Expand
    the causality chain to further investigate and perform available Causality View actions.

Recommended For You