An incident investigation can be opened in the following ways:
Automatically: If associated with a playbook, incidents open automatically for investigation and run the associated playbook.
Manually: Open an incident manually by selecting the incident in the Incidents table.
After an incident is created, it is assigned a Pending status in the incident table. When you start to investigate an incident the status changes automatically to Active, which starts the remediation process.
CLI: If you want to open an incident in the CLI, type
When you open an incident, you see the following tabs, which assist you in the investigation:
A summary of the incident, such as case details, work plan, evidence, and so on. Most of the fields are for information only, although you can add the following:
You can send a permalink to a specific Investigation Summary by copying its URL.
You can edit the fields by Incident Customization.
An overview of the information collected about the investigation, such as indicators, email information, URL screen shots and so on
A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the incident investigation. Each incident has a unique War Room.
A visual representation of the running playbook that is assigned to the incident.
View any entity which has been designated as evidence. The Evidence board stores key artifacts for current and future analysis. You can reconstruct attack chains and piece together key pieces of verification for root cause discovery.
A visual representation of incidents that share similar characteristics, such as malicious indicators, or part of a phishing campaign.
Visually maps an incident, its elements, correlated investigation entities, and the progression path of the incident, combining analyst intelligence with machine learning.
The Related Incidents page is orientated towards exploration and searching for similar data. The Canvas maps incidents and indicators by enabling you to decide what you want to include in a layout of your choice.
Inline Value Fields
By default, when editing the following inline values in an incident, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).
Dropdown values, such as Owner, Severity, etc.
Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).
These icons are designed to let you have an additional level of security before you make changes to the fields in incidents, indicators, and threat intel reports.
To change the default behavior set the
inline.edit.on.blur server configuration to
true, which enables you to make changes to inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.