Endpoint View

Print Friendly, PDF & Email

Navigating to Endpoint View

  1. On the Incidents page, in the Incidents table, click View Details. In the right pane, Incident Summary appears.
  1. Scroll the summary, till the ENDPOINTS AND USERS title appears. You can view the endpoint name.
  1. Click the endpoint name.

The endpoint view appears on the page. The endpoint name appears on the topmost line.

List View

The list view is the default view. The List, Timeline, and Correlation are the 3 views available.

The total count of Alerts is shown. You can select one of the following to show the count and the list:

  • All Alerts
  • Associated Alerts
  • Unassociated Alerts

The counts of alerts as per the following Severity are shown.

  • High
  • Medium
  • Low
  • Base

The severity is displayed in the color code, also.

The following table describes fields that you can view in the table in the List view.

Field Description
ALERT NAME Displays the name of Alert.
ALERT TYPE Displays one of the following Alert types:

Custom

Associated Alerts

Unassociated Alerts

SOURCE Displays the source of the Alert
SEVERITY Displays one of the following Severity:

High

Medium

Low

Base

TACTICS Displays Tactics of the Alert
UPDATED ON Displays the time and date of when the current alert was created.

You can sort the displayed list as per the created date of alerts from latest to older.

Actions

Combine With Current Incident

  1. Click the caret near count of Active Incidents in the Summary pane. The Other Incidents Associated with Endpoint dialog appears.
  1. In the Active Incident tab, list of active incidents appears. Select the incident that you want to combine with current incident by clicking the respective check box.
  1. Click Combine with Current Incident. The confirmation dialog appears.
  1. Click Combine.

The success message appears when the incident is combined.

Associate with Incident

  1. Select Unassociated Alerts option. The list of unassociated alerts appears.
  1. Select the alert that you want to associate with the incident by clicking the respective check box. The Associate with Incident button is enabled.
  1. Click the Associate with Incident. The Select Incident dialog appears.
  1. Select an incident with which you want to associate these base alerts. You can search the incident by name or ID in the list.
  2. Click Associate with Incident.

Remediation actions

During Alerts analysis, if you find any endpoint is running malware, you can perform the following remediation actions on that endpoint.

The endpoint isolation and restore feature allows IR to isolate the endpoint from the network when an endpoint is running malware, to ensure the malware doesn’t spread to other endpoints.

When the endpoint is isolated, IR runs an investigation and resolves security issues. Once the endpoint is clean, IR can reconnect the endpoint to internet.

  • Isolate: This action will isolate the endpoint from the network. This action will ensure that the malware is not spread in the network. This option is available only if the endpoint is infected. After isolation, IR runs an investigation and resolves security issues.
  • Reconnect : This action will reconnect the endpoint to the network. Once the endpoint is clean, IR can reconnect the endpoint to the network with this action. This option is available only if the endpoint is isolated.

Selecting the View duration

You can view the alerts in the following hours, days, or weekly or monthly slots:

  • Hour wise
    • Last 1 hour
    • Last 3 hours
    • Last 6 hours
    • Last 12 hours
    • Last 24 hours
    • Today (Since midnight 12.00 AM)
  • Day wise
    • Last 7 days
    • Last 15 days
    • Last 30 days
  • This week (since Sunday midnight 12.00 AM)
  • This month (since the beginning of the month)

Filter option

Using the Filter View

Apply the filters to narrow down your search criteria for displaying the alerts. You can filter by Incident and Incident Type.

Timeline view

You can view the number of alerts as per Severity on a date & time scale. The single alert is represented as a small solid circle and a cluster of alerts generated at the same time is represented as a count+ in a circle.

Color Code Legend

Color of dots Activity related to
Yellow Process
Purple File
Blue Network
Green Registry

Additionally, you can do the following:

We can zoom in and out using mouse. We can adjust the time window, if there are multiple alerts at the same time, then there will be a circle with a count on this view, else it will be a solid circle for a single alert.

Also, when the user clicks on this solid circle on this view, the user can see alert details on the right-side panel.

When the user clicks on the count in the circle, then on the right-side panel all the alerts that occurred at that same time are displayed. The User can see further details of the alert by clicking on the alert name.

Also, we can select the timeline view as per Day/Week or Month from the upper right corner list.

Correlation view

You can switch to the Correlation view to see all the alerts that have occurred in the past 7-, 15-, or 30-day period associated with a Key attribute.

Click Correlation tab, to view the relation between the alert and the Key attributes.

Also, we can view the listed alerts serially with Key Attributes name, type, associated to, and reputation.

Key Attributes table

Field Description
NAME Name of the Key Attribute.
ATTRIBUTE TYPE Type of the Key Attribute.
ASSOCIATED TO Associated to how many alerts.
REPUTATION

 

Reputation of the Key Attribute.

Live Query

Here you can execute queries against the selected endpoints to gather information for security analysis and IT hygiene purposes.
Refer Live Query for more details.

Note
When you click on ‘Live Query’ tab, the ‘Select Platform’ and ‘Select Host’ drop-down menus will not be visible, as they have already been filled out before reaching this stage.

Using the Filter View for Key Attributes

Apply the filters to narrow down your search criteria for displaying the alerts. You can filter by Key Attributes name, type, and reputation.

Was this page helpful?