Incidents

An incident is a collection of events from one or more products that together represent an attack story. Infinity XDRClosed Extended Detection & Response/XPRClosed Extended Prevention & Response utilizes ThreatCloud's Artificial Intelligence (AI) and applies Machine Learning (ML) models to correlate between the events from on-boarded products (both benign and security events) into unified incidents. The incident's priority level is calculated based on the artifacts of the incident, including the confidence and severity levels of the detection. Incidents are actionable with prevention steps that can be taken within the Infinity XDR/XPR application.

The Incidents page shows the list of incidents and its details that includes:

  • Insights that triggered the incident and its timeline

  • Impacted assets and users

  • Indicators

  • Prevention history and recommended prevention actions. You can automate some of these actions. For more information, see Automations.

To view the Incidents page, access Infinity XDR/XPR and click IncidentsIncidents.

Legend

Item

Description

1

Time span

Select the duration for which you want to view the incidents.

  • Last 24 hours

  • Last week

  • Last two weeks

  • Last month

  • Last year

2

Sort by

Select a criterion to sort the incidents.

  • Priority

  • Creation date

  • Last update

  • Severity

3

Assign

Assign a security expert to address the incident.

4

Change status

Change the status of the incident.

  • New

  • In Progress

  • Close - Handled

  • Close - False Positive

  • Close - Known Activity

5

Follow up

Indicates that the incident requires a follow-up.

Note - Infinity XDR/XPR does not send automatic reminders for follow-up.

6

Search

Search for the an asset, incident or a user.

7

Select all

Select or clear all incidents.

8

Filters

Filter the incidents by:

  • All

  • Action required

  • Prevented

9

Add filter

Allows you to filter the incident list.

To add a new filter:

  1. Click + Add Filter.

  2. Enter Field, Operator and Value.

  3. Click Save.

You can filter the incidents by:

10

Incident

Shows incident details.

Legend

Description

1

Priority of the incident:

  • Critical

  • High

  • Medium

  • Low

  • Informational

2

Date and time when the incident was generated.

3

View the comments added related to the incident.

4

Add or remove the follow-up flag on the incident.

5

Incident ID and title. Click the title to open the Incidents - Overview page.

6

Security Operations Center (SOC) analyst assigned to the incident. Shows Unassigned if an incident is unassigned.

7

Status of the incident. Click to set the status.

  • New

  • In Progress

  • Close - Handled

  • Close - False Positive

  • Close - Known Activity

8

Number of insights involved in triggering the incident with date and time when the first and last insight was created. Click to view Incidents - Insights & Forensics page.

An insight is anaggregation of one or more logs into valuable observations indicating the nature of the activity.

9

Number of assets involved in the incident.

10

Number of indicators and artifacts involved in the incident.

Hover over an indicator/artifact to view its Intelligence widget card. For more information, see Intelligence Widget Card.

11

Opens the incident Incidents - Overview page in a new tab.

12

Confidence

Confidence level of the detection:

  • High

  • Medium

  • Low

13

Severity

Priority of the incident:

  • Critical

  • High

  • Medium

  • Low

  • Informational

14

Source

The source of the events correlated into the incident.

15

MITRE ATT&CK

MITRE ATT&CK tactics and techniques involved in the incident. The numbers represent the number of insights related to each tactic.

Opens the Incidents - Insights & Forensics page that shows the related insights.

16

Top Insights

Top insights for the incident.

17

Prevention

Lists prevention actions taken and those that are recommended to be taken.

18

Insights Timeline

Shows the timeline of insights and the duration between the first and the last insight.

19

Comments

Shows the comments added for the incident. Click to add a comment.

Intelligence Widget Card

The Intelligence widget card displays the latest intelligence information about the indicator/artifact. The card's color reflects the severity level of the indicator/artifact.

The card displays these details:

  • IndicatorClosed A malicious artifact, such as domain, URL, IP address, and files./artifact value

  • XDR score which indicates the overall threat level

  • Severity level

  • Confidence level

  • Findings - Findings from the XDR validation engines.

  • Attack names - Name of attacks in which the indicator/artifact was involved.

  • General information based on the indicator/artifact type and the third-party threat intelligence verdict.

  • Status of the indicator in IOC Management.

  • Related info:

    • Number of related alerts - Click the link to view the Alerts page filtered by the specific indicator.

    • Number of related incidents - Click the link to view the Incidents page filtered by the specific indicator.

Note - If the indicator/artifact information was updated after the incident was created, the card displays the message Information updated since initial analysis at the top right.

Click the icon on the card to perform more actions on the indicator/artifact.