Manage Incidents - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Lean how to investigate and manage your incidents.

The Incident view allows you to track incidents, investigate incident details and take remedial action. Navigate to Incident ResponseIncidents and locate the incident you want to investigate.

Note

If you do not have permissions to access an asset of an incident (which is shown as grayed out and locked), check your scoping permissions in Manage Users or Manage User Groups.

Review Incident List Details

To provide a summary of each incident, Cortex XDR displays the following incident details for each incident:

  1. View the incident severity, score, and assignee. Select whether to Star the incident.

  2. View the status of the incident and when it was last updated.

  3. Review the incident ID and incident summary.

  4. Investigate the incident assets and alert sources:

    • Review the host name associated with the incident. If there is more than one host, select the [+x] to display the additional host names.

    • Review the user name associated with the incident. If there is more than one user, select the [+x] to display the additional user names.

    • Hover over the alert source icons to display the alert source type. Select the alert source icon to display the three most common alerts that were triggered and how many alerts of each are associated with the incident.

Update Incident Details

The incident header allows you to quickly review and update your incident details. You can update various data such as the severity, incident name, score, and merge incidents.

  1. Change the incident severity.

    The default severity is based on the highest alert in the incident. To manually change the severity select the severity tag and choose the new severity.

  2. Add or edit the incident name.

    Hover over Add incident name and select the pencil icon to add or edit the incident name.

  3. Edit the incident description.

    Hover over the incident description and select the pencil icon to edit the incident description.

  4. Update the incident score.

    Select the Incident Score to investigate how the Rule based score was calculated.

    In the Manage incident Score dialog, review the Rule ID, Rule Name, Description, Alert IDs, and the Total Added Score associated with an incident. The table displays all rules that contributed to the incident total score, including rules that have been deleted. Deleted scores appear with a N/A.

    Override the Rule based score by selecting Set score manually and Apply the change.

  5. Assign an incident.

    Select the assignee (or Unassigned) and begin typing the assignee’s email address for automated suggestions. Users must have logged in to the app to appear in the auto-generated list.

  6. Assign an incident status.

    Select the incident Status to update the status to either New, Under Investigation, or Resolved to indicate which incidents have been reviewed and to filter by status in the incidents table.

    When setting an incident to Resolved, select the reason the resolution was resolved, add an optional comment, and select whether to Mark all alerts as resolved. For more information, see Resolution Reasons for Incidents and Alerts.

  7. Merge incidents.

    To merge incidents you think belong together, select the ellipsis icon, Merge Incidents and enter the target incident ID you want to merge the incident with.

    Incident scoring is managed as follows:

    • Rule Based Score recalculates the incident score to include the merged incident scores.

    • Manual Score allows you to enter a score and override the rule-based score.

    Incident assignees are managed as follows:

    • If both incidents have been assigned, the merged incident takes the target incident assignee.

    • If both incidents are unassigned, the merged incident remains unassigned.

    • If the target incident is assigned and the source incident is unassigned, the merged incident takes the target assignee.

    • If the target incident is unassigned and the source incident is assigned, the merged incident takes the existing assignee.

    • In the merged incident, all source context data is lost even if the target incident does or doesn't contain context data. If the target incident contains context data, that context data is preserved in the merged incident.

  8. Create an exclusion.

    Select the ellipsis icon, Create Exclusion and enter the Policy Name. Select the alerts to include in the policy by filtering the Alert table and Create the exclusion.

  9. Review Cortex XDR remediation suggestions.

    Select the ellipsis icon to open the Remediation Suggestions dialog.

  10. Review the incident assets.

    Review the number of alerts, alert sources, hosts, users, and wildfire hits associated with the incident. Select Hosts, Users, and Wildfire Hits to display the asset details.

  11. Track and share your investigation progress.

    Add notes or comments to track your investigative steps and any remedial actions taken.

    • Select the Incident Notepad (incident-note-icon.png) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.

    • Use the Incident Messenger (incident-comment-icon.png) to coordinate the investigation between analysts and track the progress of the investigation. Select the comments to view or manage comments.

      If needed, Search to find specific words or phrases in Notepad and Messenger.

Investigate Incident Overview

The incident Overview tab displays the MITRE tactics and techniques, summarized timeline, and interactive widgets that visualize the number of alerts, types of sources, hosts, and users associated with the incident.

  1. Review the incident MITRE tactics and techniques widget.

    Cortex XDR displays the number of alerts associated with each tactic and technique. Select the centered arrow at the bottom of the widget to expand the widget and display the sub-techniques. Hover over a number of alerts to display a link to the MITRE ATT&CK official site.

    Note

    In some cases, the number of alerts associated with the techniques will not be aligned with the number of the parent tactic because of missing tags or in case an alert belongs to several techniques.

  2. Review the summarized timeline.

    The summarized Timeline displays the timestamp of the following four types of actions that occurred in the incident:

    • When the incident was created.

    • When the incident was assigned.

      If the incident assignee was changed, the action is marked in blue. Select the action to display the history.

    • When the last alert was added to the incident.

    • When the incident was resolved.

  3. Investigate information about the Alerts,Automation, Alert Sources, and Assets associated with the incident.

    • In the Alerts widget:

      • Select See All to pivot to the Alerts & Insights table.

      • Review the Total number of alerts and the colored line indicating the alert severity. Select the severity tag to pivot to the Alerts & Insights table filtered according to the selected severity.

    • In the Automation widget:

      • Select the alert action type and then select the specific triggering alert to pivot to the Automation Audit Log table to view the records of all the automation rule executions.

        Note

        Each type is color coded according to the action type:

        • Endpoint Response—Red

        • Alert and Incident Management—Orange

        • Communication—Black

    • In the Alert Sources widget:

      • Select See All to pivot to the Alerts & Insights table.

      • Select each of the alert source types to pivot to the Alerts & Insights table filtered according to the selected alert source.

    • In the Assets widget:

      • Select See All to pivot to the Key Assets and Artifacts tab.

      • Select the host names to display the Details panel. The panel is only available for hosts with Cortex XDR agent installed and displays the host name, whether it’s connected, along with the Endpoint Details, Agent Details, Network, and Policy information. Use the available actions listed in the top right-hand corner to take remedial actions.

      • Review Users that are marked as Featured.

      • If available, review the User Score allocated to each user.

Investigate Incident Key Assets and Artifacts

The Key Assets & Artifacts tab displays all the incident asset and artifact information of hosts, users, and key artifacts associated with the incident.

  1. Navigate to the Key Assets & Artifacts tab.

  2. Investigate artifacts.

    In the Artifacts section, search for and review the artifacts associated with the incident. Each artifact displays, if available, the following artifact information and available actions according to the type of artifact; File, IP Address, and Domain.

    File Artifact

    • File Details

      • File name

      • SHA256 value

      • Number of alerts in the incident that include the file.

      • Signature status and signer.

      • WildFire Report. Select to view the Wildfire Analysis Report.

      • AutoFocus (AF) tags. Select the tag to display the Source, Tag Class, and Description.

      • VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.

      • Number of alerts in the incident that include the file according to severity.

    • Ellipses incident-ellipsis.pngFile Actions

      • Open in Quick Launcher.

      • Go to VirusTotal.

      • Go to AutoFocus.

      • Search File on all Endpoints.

      • Open Hash View.

      • View Related Alerts.

      • Add to Block List.

      • Add to Allow List.

    IP Address Artifact

    • IP Address Details

      • IP Address value and name.

      • Number of alerts in the incident that include the IP address.

      • Whether the IP address is External or Internal.

      • Whois information. Hover to display the Net Range, Registered Date, Registered name, Organization, Updated Date details.

      • VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.

      • Number of alerts in the incident that include the IP address according to severity.

    • Ellipsisincident-ellipsis.png IP Address Actions

      • Open in Quick Launcher.

      • Go to VirusTotal.

      • Open IP View.

      • View Related Alerts.

      • Add to EDL.

    Domain Artifact

    • Domain Details

      • Domain name and IP Address.

      • Number of alerts that include the domain.

      • VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.

      • Number of alerts that include the domain according to severity.

    • Ellipsisincident-ellipsis.png Domain Actions

      • Go to VirusTotal.

      • Open IP View.

      • View Related Alerts.

      • Add to EDL.

  3. Investigate hosts.

    In the Hosts section, search for and review the hosts associated with the incident. Each host displays, if available, the following host information and available actions:

    • Host Details

      • Icons representing whether an agent is installed on the host and the operating system platform. A green icon indicates the host is connected.

      • Host Name

      • IP address associated with the host.

      • Number of alerts that include the host according to severity.

    • Ellipsisincident-ellipsis.png Host Actions

      You can choose to perform an action on multiple hosts by marking the entries you want to include or Select All.

      • Security Operations > Isolate Endpoint, Initiate Malware Scan, Retrieve Endpoint Files, Initiate Live Terminal.

      • Open in Quick Launcher.

      • Open Asset View.

      • View Related Alerts.

    To further investigate the host:

    Select the host name to display the Details panel. The panel is only available for hosts with the agent installed and displays the host name, whether it’s connected, along with the Endpoint Details, Agent Details, Network, and Policy information details. In addition, you can perform the available actions listed in the top right-hand corner.

  4. Investigate users.

    In the Users section, search for and review the users associated with the incident. Each user displays, if available, the following user information and available actions:

    • User Details

      • User Name

      • Whether the user is Featured.

      • The User Score if available.

      • Active Directory and Organization Unit names. Hover to display if the name is an Active Directory or OU.

      • Workday icon. Hover to display the Workday information.

      • Number of alerts that include the user according to severity.

    • Ellipsisincident-ellipsis.png User Actions

      • View Related Alerts.

      • Open User View.

Investigate Incident Alerts and Insights
Abstract

You can review the details of alerts and insights related to the incident.

The Alerts & Insights tab displays a table of the alerts and insights associated with the incident.

  1. Navigate to the Alerts & Insights tab.

  2. Filter the Alerts and Insights tables as you would in the dedicated Cortex XDR pages.

  3. Select an alert or insight to display the corresponding Details panel. The panel displays the following alert details, if available.

    • Alert

      • Alert name, severity, alert source, and rule name.

      • General

      • MITRE ATT&CK

      • Host

      • Rule

      • Network Connections

    • Insight

      • Insight name, type, source, and description.

      • General

      • MITRE ATT&CK

      • Host

      • Rule

      • Process Execution

    Use the available actions listed in the top right-hand corner to take remedial actions.

Run a Playbook on an Alert

You can run or rerun a playbook on one or more alerts. If there is currently a playbook running on one or more of the selected alerts, the Run Playbook option does not appear. If a playbook is running on the alert, but has been paused (for example, waiting for a user action), you can select to rerun the playbook or select a new playbook.

  1. Right-click one or more alerts in the Alerts Table or the Alerts & Insights table within an incident and select Run Playbook.

  2. If the alerts have a playbook already assigned, choose Rerun current Playbook or Choose another Playbook. If the playbooks do not have a playbook assigned, Choose a Playbook.

  3. If you are not rerunning the current assigned playbook, select a playbook to run for the selected alert(s).

  4. Run the playbook.

Investigate Incident Timeline

The incident Timeline tab is a chronological representation of alerts and actions relating to the incident.

To begin investigating:

  1. Navigate to the Timeline tab and filter the actions according to the following action types:

    • All actions

    • Alerts

    • Response Actions

    • Incident Management Actions

    • Automatic Incident Updates

    • Automation

  2. Investigate timeline entry.

    Each timeline entry is a representation of a type of action that was triggered in the alert. Alerts that include the same artifacts are grouped into one timeline entry and display the common artifact in an interactive link. Depending on the type of action, you can select the entry, host names, and artifacts to further investigate the action:

    • Locate the action you want to investigate:

      • Response and Management Actions (incident-action-mange-response.png)—Add and view comments relating to this action.

      • Alert and Automatic Updates (incident-action-alert.png)—Display the Details panel. In the panel, navigate to the Alerts tab to view the Alerts table filtered according to the Alert ID, the Key Assets to view a list of Hosts and Users associated to the alert, and an option to add Comments.

    • Select the Host name to display, if available, the endpoint data.

    • Select the Artifact to display the following type of information:

      • Hash Artifact—Displays the Verdict, File name, and Signature status of the hash value. Select the hash value to view the Wildfire Analysis Report, Add to Block list, Add to Allow list and Search file.

      • Domain Artifact—Displays the IP address and VT score of the domain. Select the domain name to Add to EDL.

      • IP Address—Display whether the IP address is Internal or External, the Whois findings, and the VT score. Expand Whois to view the findings and Add to EDL.

    • In action entries that involved more artifacts, expand Additional artifacts found to further investigate.

Investigate Incident Executions

The Executions tab displays all the alert causality chains associated with the incident. The causality chains are aggregated according to the following types of groupings:

  • Host Name

    • Host with an agent installed

    • Host without an agent installed

    • Multiple Hosts

    • Undetected Host

  • User Name

    • Username

    • Multiple Users

    • Undetected Users

Note

  • Cloud related alerts are displayed in the User Name grouping.

  • Prisma Cloud Compute alerts are displayed in the Host Name grouping.

  1. Navigate to the Executions tab.

  2. Investigate the host causality chains.

    In the Executions section, search for and review the hosts associated with the incident. Each host displays, if available, the following host information and available actions:

    • Execution Details

      • Icons representing whether an Agent is installed on the host and the operating system platform. A green icon indicates the host is connected.

      • Host Name

      • IP address associated with the host.

      • Alert Sources associated with this host.

      • Number of alerts that include the host according to severity.

    • Ellipsis incident-ellipsis.png Execution Actions

      Select the ellipsis to perform the following action on the host:

      • Security Operations > Isolate Endpoint, Initiate Malware Scan, Retrieve Endpoint Files, Initiate Live Terminal

      • Open in Quick Launcher

      • Open Asset View

      • View Related Alerts

  3. Investigate a causality chain.

    The causality chains are listed according to the Causality Group Owner (CGO), expand the CGO card you want to investigate. Each CGO card displays the CGO name, the following CGO event details, and the causality chain:

    • CGO Name

    • Alert Sources associated with the entire causality chain

    • Execution time of the causality chain

    • Number of alerts that include the CGO according to severity.

    Expand the causality chain to further investigate and perform available Causality View actions.