Dbot Suggestions: Quick View Window
The Quick View window displays information for the entity
selected on the canvas, either an incident or an indicator, each
of which have DBot suggested indicators.
You can highlight entities on the canvas to show visually how
the incident progressed.
Searches performed in the Quick View pane are client-side searches.
Incident Quick View
You can view basic information, such as type, severity, time
line information labels, and indicators. The indicators that DBot
suggests to add to the canvas for this incident are determined according
to the following factors (in this order):
- Indicators with a bad reputation from the current (selected) incident.
- The malicious ratio, which is the ratio between the indicators that appear in incidents with a bad reputation, compared to the total number of incidents in Cortex XSOAR.
Indicator Quick View
You can view source information, hashes, known history, comments
and do certain actions such as run scripts, delete, exclude and
so on.
The indicators that DBot suggests to add to the canvas for the
selected indicator are determined according to the following factors
(according to this order):
- Relations between all canvas investigation contexts. For example, if a hostname and IP address are associated with the same endpoint, the context key is suggested as an indicator.
- An ssdeep with 50% or higher similarity.
You can Edit Dbot Incident and Indicator Suggestions in the
Quick
View
window. 