End-of-Life (EoL)

Incident Actions

type Add child incidents, tasks, notes, create a report, edit, delete, and restrict an incident type.
In an incident, you can undertake a number of actions, such as edit the incident, add a child incident, add tasks, notes, and so on.
When clicking
you can undertaken the following actions:
Edit the incident as required.
Create a report to capture investigation specific data and share it with team members.
Add child incident
Adds a child incident to the incident.
Child investigations are used to compartmentalize sensitive War Room activity. You can create child investigations to collaborate discreetly with a select group of people on a specific topic of investigation. Child investigations are also used in situations where a secondary investigation is needed and its content may add too much "noise" in the original investigation.
You can also create child investigations from the CLI using the
To turn the child investigation to a discrete investigation, select the
Closing a parent investigation also closes all associated child investigations.
Restrict an investigation to the incident owner and team.
Close incident
Marks the incident as closed.
Deletes the incident
When clicking you can undertake the following actions:
Quick View
You can see a summary of the incident, timeline information, labels, and indicators.
Add tasks for users to complete as part of an investigation.
Details of any D2 Agents that are deployed to perform forensic tasks on machines.
Add team members to the incident.
Context Data
View context data. The context is a map (dictionary) that is created for each incident and is used to store structured results from the integration commands and automation scripts. The context keys are strings and the values can be strings, numbers, objects, and arrays.
You can use context data to:
  • Pass data between playbook tasks.
  • Capture the important structured data from automations and display the data in the incident summary

Recommended For You