How to Address an Incident

00:00: Infinity xDrive XPR Extended Prevention & Response consolidates the security 00:04: of multiple security products into a single pane of glass. 00:07: It utilizes various artificial intelligence engines and machine 00:12: learning models to analyze activity and security events in an environment 00:16: in order to identify security risks and automatically handle 00:20: them. If a security risk is identified and incident 00:24: is generated with a calculated priority level indicating the 00:28: priority for users to handle the incident alongside mitigation 00:33: and prevention recommendations, which can be automated in the policy. 00:37: This video shows the typical steps. 00:39: You can take to manage an incident. However note that the steps 00:43: can vary depending on the incident. 00:47: Access Infinity xDrive XPR and go to incidents. 00:50: You can either click on incidents from the dashboard or navigate to your 00:54: assigned incidence or go to the incidents tab. 00:58: Sort incidents by priority to address the critical incidents first. 01:03: Assign the incident to a society analyst or security team member 01:07: in your organization that will handle the incident. 01:11: Change the status of the incident from new to in progress. 01:15: The system shows the insights, assets, indicators, and artifacts involved in the incident for your quick reference. It also shows the suggested preventive or corrective actions. To view details of the incident, scroll to the end of the row and click the arrow icon. 01:31: To understand the incident refer to the AI generated summary 01:35: here. You can see the data sources involved the priority 01:39: severity and confidence levels and the miter tactics involved in this 01:43: incident the assets and indicators section shows assets and 01:47: indicators involved in the incident for further analysis. 01:50: Click the asset and click open and threat hunting for further analysis. 01:56: To view a list of all indicators and artifacts involved in the incident click 02:00: indicators and artifacts. You can perform various tasks 02:04: like investigating an indicator in the intelligence tool adding 02:08: to ioc management and more by hovering over the more option. 02:14: Click incident timeline to view a timeline of all events and actions taken 02:18: within an incident starting from the time. 02:20: The incident was created. 02:23: Click insights and forensics to view the details of insights and forensics 02:27: related to the incident. An Insight An aggregation of one or more logs into valuable observations indicating the nature of the activity. is an aggregation of one 02:31: or more logs into valuable observations indicating the nature of the activity 02:35: in this view. You can investigate all detections correlated 02:39: into the incident and their forensics details the various tabs 02:44: within the insights and forensics view allow to drill down into dedicated 02:48: views for each artifact type enabling you to focus on each artifact 02:52: involved and its related forensics details. 02:56: After you have investigated the incident go back to overview page 03:00: and implement the recommended actions in the prevention section recommended 03:04: actions can be performed automatically by Infinity xDrive XPR 03:09: by configuring the automatic policy in the policy section actions 03:14: that were not taken automatically will appear as recommendations. 03:17: Some of which can be performed directly by clicking the action and 03:21: some of which are additional recommendations to take outside of the system. 03:26: After you have implemented all the preventive and corrective actions hover 03:30: over the action and select the checkbox to indicate that the action was 03:34: implemented. If the action was not implemented click the x 03:38: mark For recommendations that cannot be actioned from within Infinity 03:42: xDrive XPR. You can either mark the recommendation 03:47: as completed or rejected. 03:49: Finally if you have taken all the necessary actions on the incident to 03:53: close the incident set the status to closed from within the incident enter 03:57: a comment and click save. 04:00: Thank you for watching the video

Step	Owner	Action
1	Infinity XDR Extended Detection & Response/XPR	Infinity XDR/XPR generates an incident.
2	Administrator	Assign the incident to a Security Operations Center (SOC) analyst.
3	SOC Analyst	In the Incidents page, review these information on the incident: Description Priority level Sources MITRE ATT&CK tactics involved. Assets involved. Identified Indicators of Compromise. Prevention actions taken and recommended prevention actions. Timeline of the incident
4	SOC Analyst	For further investigation on the incident: See Incidents - Insights & Forensics to view insights and forensics (processes, files, URL, domains and Registry involved in the insight) related to the incident. See Incidents - Affected Assets to view the assets involved in the incident. See Incidents - Indicators & Artifacts to view the indicators and artifacts involved the incident. See Incidents - Forensics Trees to view a graphical representation of the forensic report generated by Harmony Endpoint for each detection in an insight. See Incidents - MITRE to know the MITRE ATT&CK tactics used in the incident.
5	SOC Analyst	To investigate the Indicator A malicious artifact, such as domain, URL, IP address, and files. of Compromise involved in the incident and analyze a file, see Intelligence.
6	SOC Analyst	To investigate the logs further, see Threat Hunting.
7	SOC Analyst	Take the recommended prevention actions. See Prevention.