Incidents

An incident is a collection of events from one or more products that together represent an attack story. Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response utilizes ThreatCloud's Artificial Intelligence (AI) and applies Machine Learning (ML) models to correlate between the events from on-boarded products (both benign and security events) into unified incidents. The incident's priority level is calculated based on the artifacts of the incident, including the confidence and severity levels of the detection. Incidents are actionable with prevention steps that can be taken within the Infinity XDR/XPR application.

The Incidents page shows the list of incidents and its details that includes:

Insights that triggered the incident and its timeline
Impacted assets and users
Indicators
Prevention history and recommended prevention actions. You can automate some of these actions. For more information, see Automations.

To view the Incidents page, access Infinity XDR/XPR and click Incidents > Incidents.

Legend

Item

Description

Time span

Select the duration for which you want to view the incidents.

Last 24 hours
Last week
Last two weeks
Last month
Last year

Sort by

Select a criterion to sort the incidents.

Priority
Creation date
Last update
Severity

Assign

Assign a security expert to address the incident.

Change status

Change the status of the incident.

New
In Progress
Close - Handled
Close - False Positive
Close - Known Activity

Follow up

Indicates that the incident requires a follow-up.

Note - Infinity XDR/XPR does not send automatic reminders for follow-up.

Search for the an asset, incident or a user.

Select all

Select or clear all incidents.

Filters

Filter the incidents by:

All
Action required
Prevented

Add filter

Allows you to filter the incident list.

To add a new filter:

Click + Add Filter.
Enter Field, Operator and Value.
Click Save.

You can filter the incidents by:

Assignee
Confidence
Data Source
Incident Correlation of one or more insights into a security incident potentially impacting your environment. It can be based on insights generated from one or more products. Sequence ID
MITRE tactics
MITRE Techniques
News Articles
Prevented
Priority
Severity
Status

Incident

Shows incident details.

Legend	Description
1	Priority of the incident: Critical High Medium Low Informational
2	Date and time when the incident was generated.
3	View the comments added related to the incident.
4	Add or remove the follow-up flag on the incident.
5	Incident ID and title. Click the title to open the Incidents - Overview page.
6	Security Operations Center (SOC) analyst assigned to the incident. Shows Unassigned if an incident is unassigned.
7	Status of the incident. Click to set the status. New In Progress Close - Handled Close - False Positive Close - Known Activity
8	Number of insights involved in triggering the incident with date and time when the first and last insight was created. Click to view Incidents - Insights & Forensics page. An insight is anaggregation of one or more logs into valuable observations indicating the nature of the activity.
9	Number of assets involved in the incident.
10	Number of indicators and artifacts involved in the incident. Hover over an indicator/artifact to view its Intelligence widget card. For more information, see Intelligence Widget Card.

Opens the incident Incidents - Overview page in a new tab.

Confidence

Confidence level of the detection:

High
Medium
Low

Severity

Priority of the incident:

Critical
High
Medium
Low
Informational

Source

The source of the events correlated into the incident.

Endpoint (Harmony Endpoint)
Gateway (Quantum Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and/or CloudGuard Network)
Email (Harmony Email & Collaboration)
Mobile (Harmony Mobile)
Defender (Microsoft Defender)
Identity Service

MITRE ATT&CK

MITRE ATT&CK tactics and techniques involved in the incident. The numbers represent the number of insights related to each tactic.

Opens the Incidents - Insights & Forensics page that shows the related insights.

Top Insights

Top insights for the incident.

Prevention

Lists prevention actions taken and those that are recommended to be taken.

Insights Timeline

Shows the timeline of insights and the duration between the first and the last insight.

Comments

Shows the comments added for the incident. Click to add a comment.

Intelligence Widget Card

The Intelligence widget card displays the latest intelligence information about the indicator/artifact. The card's color reflects the severity level of the indicator/artifact.

The card displays these details:

Indicator A malicious artifact, such as domain, URL, IP address, and files./artifact value
XDR score which indicates the overall threat level
Severity level
Confidence level
Findings - Findings from the XDR validation engines.
Attack names - Name of attacks in which the indicator/artifact was involved.
General information based on the indicator/artifact type and the third-party threat intelligence verdict.
Status of the indicator in IOC Management.
Related info:
- Number of related alerts - Click the link to view the Alerts page filtered by the specific indicator.
- Number of related incidents - Click the link to view the Incidents page filtered by the specific indicator.

Note - If the indicator/artifact information was updated after the incident was created, the card displays the message Information updated since initial analysis at the top right.

Click the icon on the card to perform more actions on the indicator/artifact.