Investigate Incidents

Investigate incidents for active threats by Malware name and malware family name. The Incidents tab lists all the incidents detected on an asset. The Incidents page provides information such as the Incident Number, Incident Description, Status, and Severity Score. The Incident aggregation panel displayed at the left of the page lists the Malware Family, Malware Category, Behavioural Detection, Incident Status, and Assignee. The Behavioural Detection lists the MITRE Technique names and Technique IDs. You can click on any of these categories to get the complete list of the assets impacted with that incident. The following screenshot highlights the Incident aggregation panel on the Incident page:

Incidents agggregation panel

Based on the Incident Number, the incident data cleanup action is performed. The default incident retention period is 60 days. After 60 days, the incidents will no longer be available. Incident data cleanup is performed for all the incidents with Open, In Progress, and Closed statuses for more than 60 days.

This section lists the following features that are performed on the Incidents tab:

Actions	Filters
Group By	Download

Actions

You can perform bulk actions like Change Status and Assign Incident from the Actions drop-down menu. The bulk actions cannot be performed if the Assignee is different. If Malware Protection is enabled, the default Assignee of an incident is Antimalware. This assignee's Status is Closed since the events are remediated. However, you can change the status of the incident. The following screenshots show the comparison of the Actions option when Assignee is the same and different:
Bulk action for same name assignee and assignee with different name.

Change Status: The status of an event can be - Open, In Progress, Closed, or Re-open. By default, the status of an event is Open. To change the status of an incident, you can also change the status from the Quick Actions menu. Perform the following steps to Change Status of multiple events:
Select the status from the drop-down. Fields marked in red asterisk are mandatory.

Select the incidents, and from the Actions drop-down, click Change Status.
Select the Reason as False Positive or Resolved if you select the status as Closed.
Click Update Status.

The updated status is listed in the Incidents tab. The following screenshot is an example of the status change of incidents from Open to In Progress:

Assign Incident: You can assign an incident to a user using this option. You can also change the status from the Quick Actions menu. By default, the Assignee column displays the assignee name Unassigned. Perform the following steps to assign multiple incidents to a user:

Select the incidents, and from the Actions drop-down, click Assign Incident.
Select the Assignee from the drop-down. Users with the incident.update permissions are listed in the Select Assignee drop-down.
Click Save.
The updated status is listed in the Incident tab. The following screenshot is an example of assigning incidents to a user:

Group By

The Group By drop-down menu allows you to list the incidents with Asset or Severity Score.

Group By drop-down in Incident tab

The following screenshot is an example that lists the Count of the detected incident by the specific Asset if you select Asset from the Group By drop-down:
Group By Asset

Filters

The Filters drop-down menu allows you to select the threat source as Anti-malware, Behavioral Detection, and Threat Intel. The following screenshot is an example that lists the incidents that has source as Anti-malware and Behavioral Detection.

Incident Filters option

Download

Click the Download icon to download the information on your local system. The data is downloaded in CSV format.

Fields like Score, Description, Status, Assignee, Detected On, OS, HostName, and AgentId, are some of the fields downloaded in the CSV file.

Download Formats Windows