Investigating Incidents

You can examine an incident in-depth through the following methods.

  1. From the Incidents page, select an incident and choose Investigate from the Action drop-down list.

    or

  2. On the Analytics > Investigation page, enter the Incident ID number of the incident you wish to examine, or select it from the top 10 incidents that appear initially on a new tab, and click Load.

When an incident number has been provided, the Analytics Investigation page will show an undirected graph of the incident and involved entities (host/ip, user, process, file) as nodes. The latest top 10 incidents appear initially on a new tab on the Analytics > Investigation page.

A Time From and To field are available to set the time span you wish to investigate for the selected incident. A Layout drop-down option is also available. You can choose Force or Bipartite layout.

A left vertical bar offers the following functions.

Icon

Description

Investigation History Click to view investigation actions that have taken place for the incident.
Timeline Click to view information on when the incident occurred. Incidents are ordered by when they occurred in the timeline. Hover your mouse cursor over an incident in the Timeline panel to see the incident and its affected entities in the undirected graph. A Play icon can be clicked to illustrate when the incident occurred for the selected time span. The information icon can be clicked to get more detailed information. Check the Auto checkbox to play the next node automatically without having to click it. Check the Recenter checkbox to position the current incident in the timeline sequence to the center.
Root Incident Comments Click to view any comments made related to the incident.

Examining an Incident and Related Entities

After an incident has been loaded into Analytics, you can take the following actions. A node will either be an incident or an entity (host/ip, user, process, file). An incident can be recognized by a colored border that also indicates the severity of the incident.

  • Hover over a node to bring up a quick overview on the incident/entity object.
  • Click on a incident node to access a left pane that provides detailed information on the incident and various actions that you can take.

    Button

    Description

    DetailsClick to view detailed information on the incident.
    EventsClick to view the triggering events that led to the incident. Click > to go to the next triggering event, if applicable.
    ContextClick to get information about all the IPs and hosts in the incident. Device type, presence in Malware lists and watch lists is also provided.
    CommentsClick to view and add/edit comments related to the incident.
    ...Click to view additional actions available to take on the incident. See Acting on Incidents for more information.
    In addition to the actions that can be taken listed in Acting on Incidents, the user also has access to Action History. Clicking on Action History displays all the actions that the user has taken on the incident in the current session, including the date/time each action was taken. The user can expand and get more details on a particular action by clicking on the caret icon.


  • Click on a node that is an entity to access a left pane that shows entity information. See Pane Information on the Risk Page for more information.

    Button

    Description

    DetailsClick to view detailed information on the entity.
    Check Reputation

    Click Check Reputation to view available Check Reputation options. Click Check Reputation to run an threat integration lookup (VirusTotal, RiskIQ, and/or FortiGuard) for the entity. First, select the IP address from the Select Target drop-down list, select the threat integrations from the Check from drop-down list, then click Check. Then click View Result.

    Run Report

    If the entity is a host or IP node, Run Report is available. Click the Select report... drop-down to see a list of available report categories located in the left column of the left pane. Select a report category to view a list of available reports for the selected report category in the right column of the left pane. Some report categories have sub-categories, viewable by clicking the caret icon. Click on a caret icon to view a report's sub-category reports. For example, under Threat Hunting, you can select Discovery to see all Discovery reports that exist under Threat Hunting instead of scrolling through all the reports under Threat Hunting.

    Select a report. You can select multiple reports by taking these actions:

    • To select a range of items, hold down the Shift key, select a report, then select the last report you wish to include in the range as part of your selected reports.

    • To select specific reports, hold down the Ctrl key, and click each report that you wish to include.

    After selecting your report(s), hover your cursor over a selected report to view a caret icon. Click it, and the following options appear: 

    • Report Summary - Click to view general information on the selected report(s). For multiple reports, you can click Previous/Next to view each selected report summary. Click Close when done reviewing the Report Summary.

      Note: With only one report selected, the option to run the report is available from the Report Summary window, by clicking Run.

    • Add Report - Click to add the selected report(s) to be run.

    When report(s) have been added, you can click Edit additional filters to include any additional filters.

    When you are ready to run your report(s), click the Run/Run # Reports button.

    From the Result Summary, if there are successful results, click Show Result to view the actual results. To view results from the Analytics Search page, click Run In Search.

    ContextClick to get IP and host information.


  • Additionally, when a node is selected from the undirected graph, related objects can be added to the undirected graph. See the following table for further information on the actions you can take.

    Note: Actions that are available are determined by the object you selected.

    Action

    Description

    Related EntitiesClick to view additional identified related entities for the incident you selected. Select an entity, and a checkmark appears next to it. Click Add to add all selected entities, or click Add All to display all related entities.
    Related IncidentsClick to view additional identified related incidents for the entity you selected. Select an incident, and a checkmark appears next to it. Click Add to add all selected incidents, or click Add All to display all related incidents.

    Related Incidents and Entities

    Click to view additional identified related incidents and entities for the entity you selected. Select an incident or entity, and a checkmark appears next to it. Click Add to add all selected incidents and entities, or click Add All to display all related incidents and entities.

    Remove NodeClick to remove the selected node.

Working with the Undirected Graph

Adding an Undirected Graph

Click on +, enter the Incident ID that you wish to view an undirected graph of, and click Load.

Clearing an Undirected Graph

To clear an undirected graph, click the trash icon in the lower right corner.

Fitting the Undirected Graph in Panel

To fit the undirected graph in the existing panel, click the "fit in frame" icon.

Note: While in Bipartite layout, this function is unavailable.

Repositioning a Node

To reposition a node, click and hold the left mouse button over a node. Next, move the mouse to reposition the node, and release the mouse button when done.

Repositioning the Undirected Graph

To reposition the undirected graph, click and hold the left mouse button over a location that isn't a node. Next, move the mouse to reposition the undirected graph, and release the mouse button when done.

To recenter the undirected graph around a selected node, select a node, then click the Center icon, located in the lower right corner.

Zooming In/Out of the Undirected Graph

To zoom in or out of a graph, click the + or - icons.

Note: While in Bipartite layout, this function is unavailable.