Manage incidents - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Lean how to investigate and manage your incidents.

On the Incident view you can track incidents, investigate incident details, and take remedial action. Navigate to Incident ResponseIncidents and locate the incident you want to investigate.

Note

If you do not have permissions to access an asset of an incident (which is shown as grayed out and locked), check your scoping permissions in Manage Users or Manage User Groups.

The incident list provide a short summary of each incident to help you to quickly assess and prioritize your incidents:

  1. Review the incident severity, score, and assignee. Select whether to Star the incident.

  2. Review the status of the incident and when it was last updated.

  3. Review the incident ID and incident summary.

  4. Review the incident assets and alert sources:

    • Review the host name associated with the incident. If there is more than one host, select the [+x] to display the additional host names.

    • Review the user name associated with the incident. If there is more than one user, select the [+x] to display the additional user names.

    • Hover over the alert source icons to display the alert source type. Select the alert source icon to display the three most common alerts that were triggered and how many alerts of each are associated with the incident.

Click on an incident to open the incident in the right panel. In the incident header you can update various data, such as the severity, incident name, score, and merge incidents.

  1. Change the incident severity.

    The default severity is based on the highest alert in the incident. To manually change the severity select the severity tag and choose the new severity.

  2. Add or edit the incident name.

  3. Edit the incident description.

    Hover over the incident description and select the pencil icon to edit the incident description.

  4. Update the incident score.

    Click on the assigned score to investigate how the score was calculated.

    In the Manage Incident Score dialog displays all rules that contributed to the incident total score, including rules that have been deleted. Deleted scores appear with a N/A.

    You can override the Rule based score by selecting Set score manually or change the scoring method. For more information, see Incident scoring.

  5. Assign an incident.

    Select the assignee (or Unassigned) and begin typing the assignee’s email address for automated suggestions. Users must have logged in to the app to appear in the auto-generated list.

  6. Assign an incident status.

    Select the incident Status to update the status to either New, Under Investigation, or Resolved. By updating the status you can indicate which incidents have been reviewed and to filter by status in the incidents table.

    When setting an incident to Resolved, select the reason the resolution was resolved, add an optional comment, and select whether to Mark all alerts as resolved. For more information, see Resolution reasons for incidents and alerts.

  7. Merge incidents you think belong together. Click the more options icon and select Merge Incidents.

  8. Create an exclusion.

  9. Review the remediation suggestions. Click the more options icon to open the Remediation Suggestions dialog.

  10. Review the incident assets.

    Review the number of alerts, alert sources, hosts, users, and wildfire hits associated with the incident. Select Hosts, Users, and Wildfire Hits to display the asset details.

  11. Track and share your investigation progress.

    Add notes or comments to track your investigative steps and any remedial actions taken.

    • Select the Incident Notepad (incident-note-icon.png) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.

    • Use the Incident Messenger (incident-comment-icon.png) to coordinate the investigation between analysts and track the progress of the investigation. Select the comments to view or manage comments.

      If needed, Search to find specific words or phrases in Notepad and Messenger.

The incident Overview tab displays the MITRE tactics and techniques, summarized timeline, and interactive widgets that visualize the number of alerts, types of sources, hosts, and users associated with the incident.

  1. Review the incident MITRE tactics and techniques widget.

    Cortex XSIAM displays the number of alerts associated with each tactic and technique. Select the centered arrow at the bottom of the widget to expand the widget and display the sub-techniques. Hover over a number of alerts to display a link to the MITRE ATT&CK official site.

    Note

    In some cases, the number of alerts associated with the techniques will not be aligned with the number of the parent tactic because of missing tags or in case an alert belongs to several techniques.

  2. Investigate information about the Alerts,Automation, Alert Sources, and Assets associated with the incident.

  3. Review the artifacts and asset that are associated with the incident.

    You can click the more options icon next to an asset or artifact to open an associated view, or you can see more details in the Key Assets & Artifacts tab.

The Key Assets & Artifacts tab displays all the incident asset and artifact information of hosts, users, and key artifacts associated with the incident.

  1. Investigate artifacts.

    In the Artifacts section, search for and review the artifacts associated with the incident. Each artifact displays, if available, the artifact information and available actions according to the type of artifact; File, IP Address, and Domain.

  2. Investigate hosts.

    In the Hosts section, search for and review the hosts associated with the incident. Each host displays, if available, host information and available actions.

    To further investigate the host, select the host name to display the Details panel. The panel is only available for hosts with the agent installed and displays the host name, whether it’s connected, along with the Endpoint Details, Agent Details, Network, and Policy information details. If the Details panel is not available, click the more options icon next to a host name to see the available options.

  3. Investigate users.

    In the Users section, search for and review the users associated with the incident. Each user displays, if available, the user information and available actions

The Alerts & Insights tab displays a table of the alerts and insights associated with the incident.

  1. Use the table tabs to switch between alerts and insights, and add filters to the table to refine the displayed entries.

  2. Click an alert or insight to open the Details panel.

    Use the available actions listed in the top right-hand corner to take remedial actions.

    Click Investigate to open the alert investigation panel where you can take actions on the alert, and see the alert War Room and Work Plan.

You can run or rerun a playbook on one or more alerts. If there is currently a playbook running on one or more of the selected alerts, the Run Playbook option does not appear. If a playbook is running on the alert, but has been paused (for example, waiting for a user action), you can select to rerun the playbook or select a new playbook.

  1. In the Alerts & Insights tab, right-click one or more alerts in the Alerts and select Run Playbook.

  2. If the alerts have a playbook already assigned, choose Rerun current Playbook or Choose another Playbook. If the playbooks do not have a playbook assigned, Choose a Playbook.

  3. If you are not rerunning the current assigned playbook, select a playbook to run for the selected alert(s).

  4. Run the playbook.

The incident Timeline tab is a chronological representation of alerts and actions relating to the incident.

  1. Navigate to the Timeline tab and filter the actions according to the action type.

  2. Investigate a timeline entry.

    Each timeline entry is a representation of a type of action that was triggered in the alert. Alerts that include the same artifacts are grouped into one timeline entry and display the common artifact in an interactive link. Depending on the type of action, you can select the entry, host names, and artifacts to further investigate the action:

    • Locate the action you want to investigate:

      • For Response Actions and Incident Management Actions, you can add and view comments relating to the action.

      • For Alerts, Automatic Incident Updates and Automation actions, click the action to open the Details panel. In the panel, navigate to the Alerts tab to view the Alerts table filtered according to the alert ID, the Key Assets to view a list of Hosts and Users associated to the alert, and an option to add Comments.

    • Select the Host name to display the endpoint data, if available.

    • Select the Artifact to display the following type of information:

      • Hash artifact: Displays the Verdict, File name, and Signature status of the hash value. Select the hash value to view the Wildfire Analysis Report, Add to Block list, Add to Allow list and Search file.

      • Domain artifact: Displays the IP address and VT score of the domain. Select the domain name to Add to EDL.

      • IP address: Display whether the IP address is Internal or External, the Whois findings, and the VT score. Expand Whois to view the findings and Add to EDL.

    • In action entries that involved more artifacts, expand Additional artifacts found to further investigate.

The Executions tab displays all the alert causality chains associated with the incident. The causality chains are aggregated according to the following types of groupings:

  • Host Name

    • Host with an agent installed

    • Host without an agent installed

    • Multiple Hosts

    • Undetected Host

  • User Name

    • Username

    • Multiple Users

    • Undetected Users

Note

  • Cloud related alerts are displayed in the User Name grouping.

  • Prisma Cloud Compute alerts are displayed in the Host Name grouping.

How to investigate incident executions
  1. Investigate the host causality chains.

    In the Executions section, search for and review the hosts associated with the incident. Review the host information and click the more options icon to perform actions on the host, or open related views.

  2. Investigate a causality chain.

    The causality chains are listed according to the Causality Group Owner (CGO), expand the CGO card you want to investigate. Each CGO card displays the CGO name, the following CGO event details, and the causality chain:

    • CGO Name

    • Alert Sources associated with the entire causality chain

    • Execution time of the causality chain

    • Number of alerts that include the CGO according to severity.

    Expand the causality chain to further investigate and perform available Causality View actions.