Investigate Detections

The Detections tab is categorized between Incidents and Alerts. From the Detections tab, you can investigate incidents and alerts for active threats by Malware name and malware family name. The Detections tab initiates a workflow which includes determining the detection source, quarantining the asset, and assigning the incidents to the assignee for remediation. 

The following combined screenshot is an example of the Incidents and Alerts tabs under Detections:


The Incidents tab lists all the incidents detected on an asset. The Incidents page provides information such as the Incident Number, Incident Description, Status, and Severity Score.

A 0 risk score is considered non-malicious, and hence no incidents are created with this score. 

The highest incident score is the primary factor of the incident metadata, which includes the overall incident score and description. The incident score and description will be dynamically updated based on the high-scored events during the incident's progression.

The Incident aggregation panel displayed at the left of the page lists the Malware Family, Malware Category, Behavioural Detection, Incident Status, and Assignee. The Behavioural Detection lists the MITRE Technique names and Technique IDs. You can click on any of these categories to get the complete list of the assets impacted with that incident.

The following screenshot highlights the Incident aggregation panel on the Incidents page of the Detections tab:

Incidents agggregation panel

Features on Incidents Page

Based on the Incident Number, the incident data cleanup action is performed. The default incident retention period is 60 days. After 60 days, the incidents will no longer be available. Incident data cleanup is performed for all the incidents with Open, In Progress, and Closed statuses for more than 60 days.


You can perform bulk actions like Change Status and Assign Incident from the Actions drop-down menu. The bulk actions cannot be performed if the Assignee is different. If Malware Protection is enabled, the default Assignee of an incident is Antimalware. This assignee's Status is Closed since the events are remediated. However, you can change the status of the incident. The following screenshots show the comparison of the Actions option when Assignee is the same and different:
           Bulk action for same name assignee and assignee with different name.

  • Change Status: The status of an event can be - Open, In Progress, Closed, or Re-open. By default, the status of an event is Open. To change the status of an incident, you can also change the status from the Quick Actions menu. Perform the following steps to Change Status of multiple events:

    Select the status from the drop-down. Fields marked in red asterisk red asterisk are mandatory.

  1.  Select the incidents, and from the Actions drop-down, click Change Status

    Change Status option in Incidents tab.

  2. Select the Reason as False Positive or Resolved if you select the status as Closed.
  3. Click Update Status.

    Change Status window

    The updated status is listed in the Incidents tab. The following screenshot is an example of the status change of incidents from Open to In Progress:

    Value changed from Open to InProgress in the Status Column.

  • Assign Incident: You can assign an incident to a user using this option. You can also change the status from the Quick Actions menu. By default, the Assignee column displays the assignee name Unassigned. Perform the following steps to assign multiple incidents to a user:
  1. Select the incidents, and from the Actions drop-down, click Assign Incident.
  2. Select the Assignee from the drop-down. Users with the incident.update permissions are listed in the Select Assignee drop-down.
  3. Click Save.

    The updated status is listed in the Incident tab. The following screenshot is an example of assigning incidents to a user:

    Change in assignee

Group By

The Group By drop-down menu allows you to list the incidents with Asset or Severity Score.

Group By drop-down in Incident tab

The following screenshot is an example that lists the Count of the detected incident by the specific Asset if you select Asset from the Group By drop-down:

Group By Asset


The Filters drop-down menu allows you to select the threat source as Anti-malware, Behavioral Detection, and Threat Intel. The following screenshot is an example that lists the incidents that has source as Anti-malware and Behavioral Detection. 

Incident Filters option


Click the Download icon Download Button to download the information on your local system. The data is downloaded in CSV format.

Fields like Score, Description, Status, Assignee, Detected On, OS, HostName, and AgentId, are some of the fields downloaded in the CSV file.

Download Formats Windows