Investigating Incidents
You can examine an incident in-depth through the following methods.
-
From the Incidents page, select an incident and choose Investigate from the Action drop-down list.
or
-
On the Analytics > Investigation page, enter the Incident ID number of the incident you wish to examine, or select it from the top 10 incidents that appear initially on a new tab, and click Load.
When an incident number has been provided, the Analytics Investigation page will show an undirected graph of the incident and involved entities (host/ip, user, process, file) as nodes. The latest top 10 incidents appear initially on a new tab on the Analytics > Investigation page.
A Time From and To field are available to set the time span you wish to investigate for the selected incident. A Layout drop-down option is also available. You can choose Force or Bipartite layout.
A left vertical bar offers the following functions.
Icon |
Description |
---|---|
Investigation History | Click to view investigation actions that have taken place for the incident. |
Timeline | Click to view information on when the incident occurred. Incidents are ordered by when they occurred in the timeline. Hover your mouse cursor over an incident in the Timeline panel to see the incident and its affected entities in the undirected graph. A Play icon can be clicked to illustrate when the incident occurred for the selected time span. The information icon can be clicked to get more detailed information. Check the Auto checkbox to play the next node automatically without having to click it. Check the Recenter checkbox to position the current incident in the timeline sequence to the center. |
Root Incident Comments | Click to view any comments made related to the incident. |
Examining an Incident and Related Entities
After an incident has been loaded into Analytics, you can take the following actions. A node will either be an incident or an entity (host/ip, user, process, file). An incident can be recognized by a colored border that also indicates the severity of the incident.
- Hover over a node to bring up a quick overview on the incident/entity object.
- Click on a incident node to access a left pane that provides detailed information on the incident and various actions that you can take.
Button
Description
Details Click to view detailed information on the incident. Events Click to view the triggering events that led to the incident. Click > to go to the next triggering event, if applicable. Context Click to get information about all the IPs and hosts in the incident. Device type, presence in Malware lists and watch lists is also provided. Comments Click to view and add/edit comments related to the incident. ... Click to view additional actions available to take on the incident. See Acting on Incidents for more information.
In addition to the actions that can be taken listed in Acting on Incidents, the user also has access to Action History. Clicking on Action History displays all the actions that the user has taken on the incident in the current session, including the date/time each action was taken. The user can expand and get more details on a particular action by clicking on the caret icon. - Click on a node that is an entity to access a left pane that shows entity information. See Pane Information on the Risk Page for more information.
- Additionally, when a node is selected from the undirected graph, related objects can be added to the undirected graph. See the following table for further information on the actions you can take.
Note: Actions that are available are determined by the object you selected.
Action
Description
Related Entities Click to view additional identified related entities for the incident you selected. Select an entity, and a checkmark appears next to it. Click Add to add all selected entities, or click Add All to display all related entities. Related Incidents Click to view additional identified related incidents for the entity you selected. Select an incident, and a checkmark appears next to it. Click Add to add all selected incidents, or click Add All to display all related incidents. Related Incidents and Entities
Click to view additional identified related incidents and entities for the entity you selected. Select an incident or entity, and a checkmark appears next to it. Click Add to add all selected incidents and entities, or click Add All to display all related incidents and entities.
Remove Node Click to remove the selected node.
Working with the Undirected Graph
- Adding an Undirected Graph
- Clearing an Undirected Graph
- Fitting the Undirected Graph in Panel
- Repositioning a Node
- Repositioning the Undirected Graph
- Zooming In/Out of the Undirected Graph
Adding an Undirected Graph
Click on +, enter the Incident ID that you wish to view an undirected graph of, and click Load.
Clearing an Undirected Graph
To clear an undirected graph, click the trash icon in the lower right corner.
Fitting the Undirected Graph in Panel
To fit the undirected graph in the existing panel, click the "fit in frame" icon.
Note: While in Bipartite layout, this function is unavailable.
Repositioning a Node
To reposition a node, click and hold the left mouse button over a node. Next, move the mouse to reposition the node, and release the mouse button when done.
Repositioning the Undirected Graph
To reposition the undirected graph, click and hold the left mouse button over a location that isn't a node. Next, move the mouse to reposition the undirected graph, and release the mouse button when done.
To recenter the undirected graph around a selected node, select a node, then click the Center icon, located in the lower right corner.
Zooming In/Out of the Undirected Graph
To zoom in or out of a graph, click the + or - icons.
Note: While in Bipartite layout, this function is unavailable.