Investigate Incidents

Investigate incidents for active threats by Malware name and malware family name. The Incidents tab lists all the incidents detected on an asset. The Incidents page provides information such as the Incident Number, Incident Description, Status, and Severity Score. The Incident aggregation panel displayed at the left of the page lists the Malware Family, Malware Category, Behavioural Detection, Incident Status, and Assignee. The Behavioural Detection lists the MITRE Technique names and Technique IDs. You can click on any of these categories to get the complete list of the assets impacted with that incident. The following screenshot highlights the Incident aggregation panel on the Incident page:

Incidents agggregation panel

Based on the Incident Number, the incident data cleanup action is performed. The default incident retention period is 60 days. After 60 days, the incidents will no longer be available. Incident data cleanup is performed for all the incidents with Open, In Progress, and Closed statuses for more than 60 days.

This section lists the following features that are performed on the Incidents tab: 


You can perform bulk actions like Change Status and Assign Incident from the Actions drop-down menu. The bulk actions cannot be performed if the Assignee is different. If Malware Protection is enabled, the default Assignee of an incident is Antimalware. This assignee's Status is Closed since the events are remediated. However, you can change the status of the incident. The following screenshots show the comparison of the Actions option when Assignee is the same and different:
           Bulk action for same name assignee and assignee with different name.

  1.  Select the incidents, and from the Actions drop-down, click Change Status

    Change Status option in Incidents tab.

  2. Select the Reason as False Positive or Resolved if you select the status as Closed.
  3. Click Update Status.

    Change Status window

    The updated status is listed in the Incidents tab. The following screenshot is an example of the status change of incidents from Open to In Progress:

    Value changed from Open to InProgress in the Status Column.

  1. Select the incidents, and from the Actions drop-down, click Assign Incident.
  2. Select the Assignee from the drop-down. Users with the incident.update permissions are listed in the Select Assignee drop-down.
  3. Click Save.

    The updated status is listed in the Incident tab. The following screenshot is an example of assigning incidents to a user:

    Change in assignee

Group By

The Group By drop-down menu allows you to list the incidents with Asset or Severity Score.

         Group By drop-down in Incident tab

The following screenshot is an example that lists the Count of the detected incident by the specific Asset if you select Asset from the Group By drop-down:
Group By Asset


The Filters drop-down menu allows you to select the threat source as Anti-malware, Behavioral Detection, and Threat Intel. The following screenshot is an example that lists the incidents that has source as Anti-malware and Behavioral Detection. 

Incident Filters option


Click the Download icon Download Button to download the information on your local system. The data is downloaded in CSV format.

Fields like Score, Description, Status, Assignee, Detected On, OS, HostName, and AgentId, are some of the fields downloaded in the CSV file.

Download Formats Windows



Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
failed We appreciate your feedback. We'll work to make this topic better for you in the future.