Home

Incident Details

The Incident Details window displays the information about the following:

Summary

The Summary section in the Incident Details provides the overall overview of the the Asset Details, Threat Actors and Malware Summary. 

Actions

You can Change Status, Assign Incident, or Add Comment from the Actions menu. Using the Add Comment option, you can provide comments about the incident. Only the writer of the comment can edit or delete their comment. 

The following screenshot is an example of the Incident Summary and Actions:

Example of Incident Summary

Timeline

The Timeline section provides the list of the detected events. Alternatively, you can search for the detected events from the Search for events search bar using the Events Search Token and choose a remediation action if applicable. You can enhance the search results by selecting the timeframe from Last 2 year to Today. Select the drop-down Last 30 days to view the list of timeframe options. 

Timeframe in the Timeline section of the Incidents page.

Assessment and Detection Source filters in the Timeline section displays the list of event based on the selected options. 

You can select multiple threat source while using the Detection Source filter. 

Timeline page in Incidents Details

Process Tree

You can perform the remediate action from the Process Tree section. The process tree displays all the related events of the selected incident. An event of the “Process” type will show its parent and child processes. 

In the process tree view, you can traverse between the nodes by clicking a node in the hierarchy. You can click the (+) and (-) to expand and collapse the tree nodes and display the related events.

In the Threat details section, you can view the detection engine (Malware Detection, Yara rules, Behavioral Analysis, Threat Intelligence, etc.) for the event and the event risk score. The Process Tree view displays a zoom bar and reset option. The filter can view a specific event type in the process tree. The Process event will always be visible.

Process Tree in Incident Details page

Comments

The comments you add using the Actions menu are listed in the Comments section. For Antimalware Assignee, with the closed Status, by default, the comment displayed is based on the action performed. 

For example, in the following screenshot, the network has been closed. Hence, the comment displayed is Network Closed.

Antimalware comment in Incident Details page.

Activity Log

The Activity Log logs all the actions you perform on the Incident page. The following screenshot is an example of the Activity Log:
Activity Log section in the Incident Details page.

Risks and Exploits

The Risks and Exploits section focuses on the data generated via the integration with Qualys Vulnerability Management Detection and Response (VMDR) and Qualys Policy Compliance (PC) applications. The Threat Risk & Exposure tab lists the vulnerabilities linked to an incident. If you have a subscription to the VMDR and Patch application, you get an option to view the vulnerability insights and patch those vulnerabilities. The integration with VMDR helps you to remediate endpoints basis the QID, Title, CVE, Malware, Total Hosts, and QDS.

The System Misconfiguration tab lists the CIDs, Control Statement and MITRE Technique ID that failed the Qualys Policy Compliance assessemnt due to endpoint misconfiguration. The following screenshot is an example of the System Misconfiguration tab:

How do I get more insights about Risks and Exploits using VMDR?

  1. If you have VMDR subscription, click View Details in VMDR. You will be redirected to the Vulnerabilities tab of the VMDR application. 
  2. The Vulnerabilities tab, the vulnerabilities are listed based on the CVE IDs. The Vulnerability token enlisted is `vulnerabilities.vulnerability.cveIDs:[CVE ID number]`. Click on any of the QID to get insights of the Vulnerability. 

How can I patch the vulnerability detected in EDR using the Patch Now option?

If you have Patch Management subscription, the Patch Now option will be enabled for you. 

  1. Click Patch Now. You are redirected to the Jobs tab of the Patch Management application. 
  2. In the Basic Information section, the Job title is pre-populated. 
  3. In the Select Assets section, the assets are populated based on the asset tags selected. You can add or exclude asset tags for the job.
  4. In the Select Patches page, select the type of patch you want to install. The patches are pre-populated; if required, you can select more patches. 
  5. Provide information for the remaining fields and click Save and Enable
    For more information, see Creating Patch Job for Windows Assets

Additional Resource

MITRE ATT&CK webpage