Incidents - Affected Assets

The Affected Assets page shows the details of assets involved in the incident and allows you to perform these actions:

To view the Affected Assets page:

Access Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response and click Incidents > Incidents.
Click the incident title or hover over the incident and click >.
Click Affected assets.

To edit the columns in the table, click Edit columns and select the columns.

To export the data to an excel in CSV format, click Export All (CSV).

To search, in the Search field, enter the string. The table automatically filters and shows the content that matches with the string.

Column	Description
Type	Asset type: Machine User IP address Email address Mobile device
Asset name	Asset name.
Endpoint Status	Installation status of the Harmony Endpoint Security client on the machine.
Endpoint Isolation Status	Isolation status of the machine. Applies only to machines with Harmony Endpoint Security client installed.
Gateway Status	Isolation status of the asset on the gateway. Applies only to assets of type IP address.
Mobile Status (Shown only if the data source is Harmony Mobile)	Status of the mobile device.
OS Name	Operating System of the machine.
Last IP address	Last associated IP address with the asset. Applies only to endpoints and IP address.
OS Version	Version of the Operating System.
Last Connection Time	Date when the asset was last seen in the logs of the on-boarded products.
GUID	Global Unique Identifier of the asset.
AD Domain	Active Directory domain of the asset.
Users	Users related to the asset.
Last IP Address	Last IP address associated with the asset.
Associated IPs	IP addresses associated with the asset.
Insights	Number of insights related to the incident in which the asset is involved. Hover over to view the insights by severity.
Indicators	Number of indicators related to the incident in which the asset is involved. Hover over to view the indicators by severity.
Related Incidents	Number of incidents where the asset was involved.

Managing Affected Assets

Click Incidents:
- Click the incident title.
- Hover over the incident and click >.
Click Affected assets.
Select the asset.
To isolate an affected endpoint from the network. Infinity XDR/XPR enforces isolation through Harmony Endpoint's Isolate Computer push operation, at the top of the page, click Isolate and then click Isolate on Endpoint.

A confirmation message appears. Click Yes.
To isolate an asset of the type IP address on the Quantum Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., at the top of the page, click Isolate and then click Isolate on Gateway.

A confirmation message appears. Click Yes.
To de-isolate an isolated endpoint in the network. Infinity XDR/XPR enforces isolation through Harmony Endpoint's Isolate Computer push operation, at the top of the page, click De-Isolate.

A confirmation message appears. Click Yes.
To de-isolate or unblock an isolated IP address in the network. Infinity XDR/XPR enforces isolation through the Quantum Security Gateway, at the top of the page, click De-Isolate.

A confirmation message appears. Click Yes.
To copy an asset name to the clipboard, in the table, at the end of the row, hover over , and click Copy Asset Name.

Infinity XDR/XPR copies the name of the asset to the clipboard.

To view intelligence for an IP address, in the table, at the end of the row, hover over , and click Open in Intelligence.

Infinity XDR/XPR opens the Intelligence page and shows the available intelligence for the IP address.

Note - This applies only to assets of type IP address.

To isolate an IP address on the Quantum Security Gateway, in the table, at the end of the row, hover over , and click Isolate on GW.

A confirmation message appears. Click Yes.

Notes:

This applies only to assets of type IP address.
This is implemented using Check Point Playblocks. For more information, see Infinity Playblocks Administration Guide.

To search for an asset in the incidents table, in the table, at the end of the row, hover over , and click Search in Incidents.

Infinity XDR/XPR opens the Incidents page and shows the assets involved in the incidents.
To view Threat Hunting for an asset, in the table, at the end of the row, hover over , and click Open in Threat Hunting.

Infinity XDR/XPR opens the Threat Hunting page searching for the chosen asset in the logs from the past seven days.

Note - For Mobile assets, the only supported functions are Copy asset name and Search in Incidents.

You can create exclusions for assets so that they do not create new incidents. For example, an asset that represents an approved network scanner.

Note - You can also create exclusions from the Policy menu also. See Exclusions.

To create an exclusion for an asset from an incident:

Click Incidents:
- Click the incident title.
- Hover over the incident and click >.
Click Affected assets.
In the table, at the end of the row, hover over , and click Create Exclusion.

The Asset type and Exclusion value are pre-filled.
From the Asset type drop-down:
- If the asset type is an IP address, select IPv4.
  - Select an Exclusion value:
    - Single - Enter the IP address.
    - Range - Enter From and To IP addresses.
    - CIDR - Enter Subnet and Prefix.
(Optional) Select an Expiration date (UTC) for the exclusion. After the expiration date, the asset can create incidents.
(Optional) Enter Comments.
Click Submit.