List View
Scroll down the list as required to view the earlier generated alerts. Clicking on a particular host name opens the Device view for that alert.
Field | Description |
---|---|
INCIDENT ID | Displays the name of Incident. |
INCIDENT NAME | Displays the name of Incident. You can copy the name by clicking the copy icon. |
TYPE | Displays the type of Incident. |
SEVERITY | Displays one of the following Severity:
· Critical |
PRIORITY | Displays one of the following Priority:
· Critical |
STATUS | Displays one of the following statuses of Incident.
· New |
NO. OF ALERTS | Displays number of alerts associated with the incident. |
CREATED ON | Sort, Displays the date and time when the Incident was created. |
ASSIGNED TO | Displays the name to whom the Incident is assigned to. |
The following table describes fields that you can view in the table in the List view.
Field | Description |
ALERT NAME | Displays the name of Alert. |
ALERT TYPE | Displays one of the following Alert types:
Custom Associated Alerts Unassociated Alerts
|
SOURCE | Displays the source of the Alert |
SEVERITY | Displays one of the following Severity:
High Medium Low Base |
TACTICS | Displays Tactics of the Alert |
CREATED ON | Displays the time and date of when the current alert was created.
You can sort the displayed list as per the created date of alerts from latest to older. |
View
You can view the incidents in the following hours, days or weekly or monthly slots:
- Hour wise
- Last 1 hour
- Last 24 hours
- Day wise
- Last 7 days
- Last 15 days
- Last 30 days
- Custom – Clicking Custom opens calendar control Select From Date and To Date from the calendar. Click Save.
My Incidents
Click My Incidents button to view only the incidents that are assigned to you (logged in user).
Filter
Using the Filter View
Apply the filters to narrow down your search criteria for displaying the incidents. You can filter by Severity, Status, Alert Details such as Process Name, Host Name, Assignee and Tactics.
View Details
When you click View Details, you are redirected to the Alerts page.
Summary of the Incident
When you click any row, the summary of the Incident appears in the right pane. The following table describes fields that you can view in the summary.
In this pane, you can view the available actions for the selected incident, such as:
- View Audit Report: Click here to access the detailed audit report for the incidents.
- Add Notes: Click this option to add notes to the incidents. You can view these notes in the Notes and Attachments section located in the right pane.
- Upload Documents: Use this feature to upload documents while updating the status of incidents.
Incident Summary
Field | Description |
---|---|
BASIC INFORMATION | |
Incident ID | Displays the ID of Incident. You can copy the ID by clicking the copy icon. |
Incident Name | Displays the name of Incident. You can edit the name by clicking the edit icon. |
Incident Type | Displays one of the following types of Incidents. · Unknown · Phishing · Malware · MITM · Insider Threat · Privilege Escalation · Web Application Attack · Anomaly Detection · APT You can edit the type by clicking the edit icon. |
Created On |
Displays the date and time when the Incident was created. |
Occurred On | Displays on which endpoint the incident occurred. |
Last Updated On
|
Displays the date and time when the Incident was updated. |
Number of Alerts | Displays the number pf alerts already associated to the incident. |
View Details button | Click to view details of associated alerts. You will be redirected to the Alerts page. |
Playbook | Displays name of the default playbook associated with the incident. |
View Playbook Output | Click the link to view playbook output. |
RESPONSE SUMMARY | |
Severity
|
Displays one of the following Severity: · High · Medium · Low · Base |
Priority | Displays one of the following priority: · Critical · High · Medium · Low You can edit the priority by clicking the edit icon. |
Assigned To
|
Displays the name to whom the Incident is assigned to. |
Status | Displays one of the following statuses: · New · Investigation · Remediation · Closed This also displays whether the response is, On Time, Late or Closed. Here duration of the incident created, and remaining time is also displayed. You can update the status by clicking the edit icon. This is also where you can upload supporting documents.
|
DESCRIPTION AND ANALYSIS | |
Description | Displays description of the incident.
You can edit the description by clicking the edit icon. |
NOTES AND ATTACHMENTS | |
Notes | Displays the content of all notes, when and who created the notes.
You can add note by clicking Add Note icon. This is also where you can upload supporting documents by clicking the ‘Upload Documents’.
|
ENDPOINTS AND USERS | |
Endpoints (#) | |
Endpoint Name
|
Displays hostname of all endpoints. If you click vertical ellipse, the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon.
|
Users (#) | Displays all users. If you click vertical ellipse, the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon.
|
KEY ATTRIBUTES | |
Process | Displays the count and list of processes. Also,
Displays Value of the process. Displays Reputation of the process. Displays Associated To which alert. If you click vertical ellipse, the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon. |
Registry | Displays the count and list of Registries. Also,
Displays Value of the registry. Displays Reputation of the registry. Displays Associated To which alert. If you click vertical ellipse, the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon. |
File | Displays the count and list of infected files. Also,
Displays Value of the file. Displays Reputation of the file. Displays Associated To which alert. If you click vertical ellipse, the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon. |
Network | Displays the count and list of infected networks. Also,
Displays Value of the network. Displays Reputation of the network. Displays Associated To which alert. If you click vertical ellipse, the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon. |
Action Buttons | |
Playbook Actions | the list of playbooks appears with status whether the playbook is run or not run. You can run the playbook by clicking Run icon. |
View Playbook Output | Playbook Output window appears showing output details of the playbook. |
Add Note
A shortcut for adding note is added in the right upper corner.
- Click the Add Note icon to add note. The Add Note dialog appears.
- Enter note in the Note
- Click Save.
The confirmation message appears.
In the Notes section of Incidents Summary, you can view all the Notes.
Playbook Actions
In the Incidents Summary, the following 2 buttons appear.
- Playbook Actions
- View Playbook Output
Running playbook
- Click Playbook Actions A list of playbooks appears.
- Click the Run icon. Playbook Action window appears.
- Provide information as per the design of the playbook.
- Click Execute.
The playbook is executed.
The playbook output window appears.
If there are any old results, the icon for View Old Result also appears. Click the icon to view the old result.
View Playbook Output
- Click View Playbook Output button.
- The Playbook Output window appears.
- You can see output details.
Playbook and attributes
- Scroll to Key Attributes
- Click Vertical ellipse.
- The list of playbooks using tags appear with status, whether the playbook is run or not run.
- Click Run Icon. Playbook Action window appears.
- Provide information as per the design of the playbook.
- Click Execute.
The playbook is executed.
The playbook output window appears. The Playbook Output window shows playbook details, output details, a list of playbooks, and details of incident.
Scheduling Incidents Report
Note ☛
Only users with Super Admin, Admin, or SOC Manager privileges have the ability to schedule incidents reports.
To schedule reports for incidents, follow the instructions provided in the details here.