Explorer View
The Incident Explorer view allows you to correlate Actors (IP, Host, User) across multiple incidents, without creating multiple reports in separate tabs. Incident trends, Actor and Incident detail are displayed on the same page. You can choose an actor and see all the incidents that actor is part of. You can then choose a time range and narrow down the incidents. Time ranges, Actors, and Incidents can be chosen in any order. Each time a selection is made, the rest of the dashboard updates to reflect that selection.
To open the Incident Explorer view, click INCIDENTS, then click the Explorer icon (
). Explorer can set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and Explorer from the Incident Home drop-down list.
The Incident Explorer view is divided into three layers:
-
The top layer displays the Incident Trend graph. The graph displays the incident counts over time, organized by severity, then by count.
Each bar in the graph represents the number of incidents at a given time. The colors used in the bars reflects the Incident Severity. Red colored boxes (High Severity) appear first then Yellow (Medium Severity), and finally Green (Low Severity). The numbers in the bars reflect the number of unique incidents that triggered in the chosen time window.
-
The middle layer displays panels for Incidents, Hosts, IPs, and Users. You can filter the items in the panels by Category, Status, and Time Range. See “Filtering in the Incident Explorer” for more information.
-
The bottom layer displays the Incidents Table with these headings: Severity, Last Occurred, Incident, Source, Target, Detail, Subcategory, Incident Status, and Resolution. Select Incident Details from the caret drop-down next to Incident to get more details.
Drill down is available from the Incident, Target, Detail, and Resolution columns.
The following tables describe the drill down options available for each column.
Incident Options
|
Option |
Description |
|---|---|
|
Incident Details |
A window with more details about the incident is accessible to review. |
|
Investigate |
Go to the Analytics > Investigation page for the selected incident. |
Source/Target Options
|
Option |
Description |
|---|---|
|
Quick Info |
Displays the quick information about the device. |
|
Device Health |
Availability, Performance, and Security health reports for the device. |
| Vulnerabilities | Displays the top 10 vulnerabilities for a selected time period (15 minutes, 1 hour, 1 day, 7 days, 30 days). |
|
Check Reputation |
Looks up external threat intelligence websites about likely malicious Indicators of Compromise (IOCs). |
|
Related Real-time Events |
Switches to the ANALYTICS tab and displays related real time events. |
|
Related Historical Events |
Switches to the ANALYTICS tab and displays related historical events. |
|
Add to Filter |
Switches to List view. Open the drop-down list next to the Reporting column for the desired incident and select Add to Filter. Add to Filter modifies the search on the current tab by including this constraint. |
|
Add to Application Group |
Opens the IP Application Group Mapping Definition dialog box where you can choose the group where you want to add the incident. |
Detail Options
Select Check Reputation to do a look up via external threat intelligence websites about likely malicious Indicators of Compromise (IOCs).
Resolution Options
|
Option |
Description |
|---|---|
|
Set Resolution to Open |
Sets the resolution status to Open (not defined or not known whether the incident is True Positive or False Positive). |
| Set Resolution to In Progress | Sets the incident resolution status to In Progress. |
|
Set Resolution to True Positive |
Sets the incident resolution status to True Positive. |
|
Set Resolution to False Positive |
Sets the incident resolution status to False Positive. If you are changing the Resolution to False Positive, you must clear the incident at the same time. |
To leave the Incident Explorer View, click the List icon.
Using the Incident Explorer View
Click any of the bars in the Incident Trend graph. The corresponding Incidents, IP addresses, Hosts and Users are displayed in the panels. The corresponding incidents are also displayed in the Incident Table.
Click any of the items in the Incident, IP, Host, or User panels. The corresponding bar is displayed in the Incident Trend graph and corresponding incidents are displayed in the Incident Table.
Click multiple items in the Incident Trend graph and in the panels. Your selections will be ANDed together and the results displayed in the Incident Table.
Select Incident Details from the drop-down caret next to Incident column to show Incident details, Trigger events, Rule summary, Comments, Incident context and Action history.
Filtering in the Incident Explorer View
You can filter the incident data by incident category, whether the incident is active or cleared, and the time range when the incident occurred.
- The Category drop–down list allows you to filter on unique Security, Performance, Availability, and Change incidents that have triggered in the specified time range.
In order for any Incident to show up on this list, the rule must be configured to be one of the 4 unique categories above (Security, Performance, Availability, Change). Incidents that trigger outside of the above 4 Categories will not show up (eg. Other). - The Status drop-down list allows you to filter on Active and/or Cleared incidents.
- The Time Range dialog box allows you to choose a relative or absolute time range. For Relative, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For Absolute, use the calendar dialog to specify From and To dates.