Investigate incidents for active threats by Malware name and malware family name. The Incidents tab lists all the incidents detected on an asset. The Incidents page provides information such as the Incident Number, Incident Description, Status, and Severity Score. The Incident aggregation panel displayed at the left of the page lists the Malware Family, Malware Category, Behavioural Detection, Incident Status, and Assignee. The Behavioural Detection lists the MITRE Technique names and Technique IDs. You can click on any of these categories to get the complete list of the assets impacted with that incident. The following screenshot highlights the Incident aggregation panel on the Incident page:
Based on the Incident Number, the incident data cleanup action is performed. The default incident retention period is 60 days. After 60 days, the incidents will no longer be available. Incident data cleanup is performed for all the incidents with Open, In Progress, and Closed statuses for more than 60 days.
This section lists the following features that are performed on the Incidents tab:
You can perform bulk actions like Change Status and Assign Incident from the Actions drop-down menu. The bulk actions cannot be performed if the Assignee is different. If Malware Protection is enabled, the default Assignee of an incident is Antimalware. This assignee's Status is Closed since the events are remediated. However, you can change the status of the incident. The following screenshots show the comparison of the Actions option when Assignee is the same and different:
Select the status from the drop-down. Fields marked in red asterisk are mandatory.
The updated status is listed in the Incidents tab. The following screenshot is an example of the status change of incidents from Open to In Progress:
The updated status is listed in the Incident tab. The following screenshot is an example of assigning incidents to a user:
The Group By drop-down menu allows you to list the incidents with Asset or Severity Score.
The following screenshot is an example that lists the Count of the detected incident by the specific Asset if you select Asset from the Group By drop-down:
The Filters drop-down menu allows you to select the threat source as Anti-malware, Behavioral Detection, and Threat Intel. The following screenshot is an example that lists the incidents that has source as Anti-malware and Behavioral Detection.
Click the Download icon to download the information on your local system. The data is downloaded in CSV format.
Fields like Score, Description, Status, Assignee, Detected On, OS, HostName, and AgentId, are some of the fields downloaded in the CSV file.
Was this topic helpful?