Analyze incident details

During the incident review stage, you can also analyze the details of each incident from the Endpoint Detection and Response (EDR) incident list. These details enable you to drill-down into the entire incident and understand how and when it occurred. In addition, you can assign an incident to specific users for investigation, and set the investigation status.

To analyze incident details

1. In the Cyber Protect console, go to Protection > Incidents. The Incident list is displayed.
2. Click on the incident you want to review. The details for the selected incident are displayed.
3. In the displayed Overview tab, you can review the incident and workload details, including the current threat status and severity. You can also define the Investigation state (select from one of Investigating, Not started (the default state), False positive, or Closed), and select a user to assign the incident to (in the Assignee drop-down list, select the relevant user).

   

4. Click the Attack Info tab to review details of the attack and the techniques used in the attack. Click the link next to each listed attack technique to review further information about the technique on MITRE.org.
5. Click the Activities tab to review any action taken in the cyber kill chain to mitigate an incident. For more information, see How to investigate incidents in the cyber kill chain.

   For example, if a patch was run on the workload, you can see who initiated the patch, how long it took, and any errors that occurred during the implementation of the patch.

6. Click Investigate incident to access the cyber kill chain where you can investigate the incident node-by-node. For more information, see How to investigate incidents in the cyber kill chain.