The Incident Details window displays the information about the following:
The Summary section in the Incident Details provides the overall overview of the incident and the asset. If the risk score is zero, then the incident is considered non-malicious.
The following screenshot is an example of the Incident Summary:
You can Change Status, Assign Incident, or Add Comment from the Actions menu. Using the Add Comment option, you can provide comments about the incident. Only the writer of the comment can edit or delete their comment.
The Timeline section provides the list of the detected events. Alternatively, you can search for the detected events from the Search for events search bar using the Events Search Token and choose a remediation action if applicable. You can enhance the search results by selecting the timeframe from Last 2 year to Today. Select the drop-down Last 30 days to view the list of timeframe options.
Assessment and Detection Source filters in the Timeline section displays the list of event based on the selected options.
You can select multiple threat source while using the Detection Source filter.
You can perform the remediate action from the Process Tree section. The process tree displays all the related events of the selected incident. An event of the “Process” type will show its parent and child processes.
In the process tree view, you can traverse between the nodes by clicking a node in the hierarchy. You can click the (+) and (-) to expand and collapse the tree nodes and display the related events.
In the Threat details section, you can view the detection engine (Malware Detection, Yara rules, Behavioral Analysis, Threat Intelligence, etc.) for the event and the event risk score. The Process Tree view displays a zoom bar and reset option. The filter can view a specific event type in the process tree. The Process event will always be visible.
The comments you add using the Actions menu are listed in the Comments section. For Antimalware Assignee, with the closed Status, by default, the comment displayed is based on the action performed.
For example, in the following screenshot, the network has been closed. Hence, the comment displayed is Network Closed.
The Activity Log logs all the actions you perform on the Incident page. The following screenshot is an example of the Activity Log:
The Risks and Exploits section lists the vulnerabilities linked to the incident. If you have a subscription to the VMDR application, you can view the vulnerability details.
Was this topic helpful?