- On the Incidents page, in the Incidents table, click View Details. In the right pane, Incident Summary appears.
- Scroll the summary, till the ENDPOINTS AND USERS title appears. You can view the endpoint name.
- Click the endpoint name.
The endpoint view appears on the page. The endpoint name appears on the topmost line.
The list view is the default view. The List, Timeline, and Correlation are the 3 views available.
The total count of Alerts is shown. You can select one of the following to show the count and the list:
- All Alerts
- Associated Alerts
- Unassociated Alerts
The counts of alerts as per the following Severity are shown.
The severity is displayed in the color code, also.
The following table describes fields that you can view in the table in the List view.
|Displays the name of Alert.
|Displays one of the following Alert types:
|Displays the source of the Alert
|Displays one of the following Severity:
|Displays Tactics of the Alert
|Displays the time and date of when the current alert was created.
You can sort the displayed list as per the created date of alerts from latest to older.
- Click the caret near count of Active Incidents in the Summary pane. The Other Incidents Associated with Endpoint dialog appears.
- In the Active Incident tab, list of active incidents appears. Select the incident that you want to combine with current incident by clicking the respective check box.
- Click Combine with Current Incident. The confirmation dialog appears.
- Click Combine.
The success message appears when the incident is combined.
- Select Unassociated Alerts option. The list of unassociated alerts appears.
- Select the alert that you want to associate with the incident by clicking the respective check box. The Associate with Incident button is enabled.
- Click the Associate with Incident. The Select Incident dialog appears.
- Select an incident with which you want to associate these base alerts. You can search the incident by name or ID in the list.
- Click Associate with Incident.
During Alerts analysis, if you find any endpoint is running malware, you can perform the following remediation actions on that endpoint.
The endpoint isolation and restore feature allows IR to isolate the endpoint from the network when an endpoint is running malware, to ensure the malware doesn’t spread to other endpoints.
When the endpoint is isolated, IR runs an investigation and resolves security issues. Once the endpoint is clean, IR can reconnect the endpoint to internet.
- Isolate: This action will isolate the endpoint from the network. This action will ensure that the malware is not spread in the network. This option is available only if the endpoint is infected. After isolation, IR runs an investigation and resolves security issues.
- Reconnect : This action will reconnect the endpoint to the network. Once the endpoint is clean, IR can reconnect the endpoint to the network with this action. This option is available only if the endpoint is isolated.
You can view the alerts in the following hours, days, or weekly or monthly slots:
- Hour wise
- Last 1 hour
- Last 3 hours
- Last 6 hours
- Last 12 hours
- Last 24 hours
- Today (Since midnight 12.00 AM)
- Day wise
- Last 7 days
- Last 15 days
- Last 30 days
- This week (since Sunday midnight 12.00 AM)
- This month (since the beginning of the month)
Using the Filter View
Apply the filters to narrow down your search criteria for displaying the alerts. You can filter by Incident and Incident Type.
You can view the number of alerts as per Severity on a date & time scale. The single alert is represented as a small solid circle and a cluster of alerts generated at the same time is represented as a count+ in a circle.
Color Code Legend
|Color of dots
|Activity related to
Additionally, you can do the following:
We can zoom in and out using mouse. We can adjust the time window, if there are multiple alerts at the same time, then there will be a circle with a count on this view, else it will be a solid circle for a single alert.
Also, when the user clicks on this count in the circle on this view, the user can see details on the right-side panel.
Also, when the user clicks on this solid circle on this view, the user can see alert details on the right-side panel.
When the user clicks on the count in the circle, then on the right-side panel all the alerts that occurred at that same time are displayed. The User can see further details of the alert by clicking on the alert name.
Also, we can select the timeline view as per Day/Week or Month from the upper right corner list.
You can switch to the Correlation view to see all the alerts that have occurred in the past 7-, 15-, or 30-day period associated with a Key attribute.
Click Correlation tab, to view the relation between the alert and the Key attributes.
Also, we can view the listed alerts serially with Key Attributes name, type, associated to, and reputation.
Key Attributes table
|Name of the Key Attribute.
|Type of the Key Attribute.
|Associated to how many alerts.
|Reputation of the Key Attribute.
Here you can execute queries against the selected endpoints to gather information for security analysis and IT hygiene purposes.
Refer Live Query for more details.
When you click on ‘Live Query’ tab, the ‘Select Platform’ and ‘Select Host’ drop-down menus will not be visible, as they have already been filled out before reaching this stage.
Apply the filters to narrow down your search criteria for displaying the alerts. You can filter by Key Attributes name, type, and reputation.