Analyzing Threats - Incident Details Overview
Click a threat to open its Incident details.
1. Start your analysis in the header
- Threat Status - See if mitigation actions were taken or if it is still not mitigated.
- AI Confidence Level - Note if the threat is Malicious or Suspicious.
- Analyst Verdict - Each threat starts as Undefined. If a different verdict shows, see the Timeline for a summary of all actions taken on the threat and all notes recorded.
- Mitigation Actions Taken - See which mitigation actions were done and their status. See if actions are required to compete mitigation. For example:
- A threat is mitigated but only killed and quarantined. Complete the analysis to see if more mitigation is required.
- All mitigation actions are Pending - All mitigation actions are Pending because the Management is waiting for a response from the Agent - If the endpoint is online, it will respond soon - If the endpoint is offline, it can take a while
- If the endpoint must reboot to complete the mitigation, the status shows Pending Reboot and a message shows under the header - Click Reboot Now to reboot the endpoint and complete the mitigation.
- If an action shows as partially completed, move the cursor over the action to see what was done and a link to download the mitigation CSV report.
- If no counters show for supported Agents, it means there was nothing for the Agent to act on - A success sign shows - The tooltip shows: Threat not found on endpoint
- See the Incident Status
- Each threat starts as Unresolved
- If it is In-Progress, someone is working on it already
- If it is Resolved, you can move on to a different threat.
- See the Timeline for a summary of all actions taken on the threat and all notes recorded.
- See the date and time of the incident:
- Identified Time - When the Agent identified the activity as a threat
- Reporting Time - When the threat showed in the Management Console or sent alerts.
The Level can be N/A if the detection was marked by a user as a threat.
For supported Agents, Windows 4.1+, macOS 4.0+, Linux 4.0+, and CWPP 4.0+, you can download the complete Mitigation CSV Report. This shows the details of mitigation actions that are not pending, including what exactly was done and to which files or processes. Download the mitigation CSV report from the Incident details in the Mitigation Action Status area (from Kauai SP3) or from the Timeline tab.
See the Timeline for a summary of all actions taken on the threat and all notes recorded.
If the Reporting time is very different than the identified time, the endpoint was probably offline at detection time, and did not report to the Management until it was online.
2. The Network History shows when and where
After you understand the status of the threat, look at the big picture and understand where the threat is found and if someone already analyzed it.
Best Practice: If you see that the threat was first seen a long time ago, and it appears multiple times, click the link on the number of times. All instances of the threat open in a Threats table. See which actions were done and which Analyst Verdict other analysts gave it already.
The details show for your whole access level, even if you had a narrower scope open in the Management Console. For example, you have access to a Site but were looking at Threats with a Group scope selected: You will see network history information for a threat in the whole Site.
- See the first and last time the threat was seen in your scope.
- See how many times the threat was detected and on how many different endpoints.
- See the scope distribution - how many Accounts, Sites, and Groups have this incident.
Note: Threats are grouped by hash. Fileless threat always show as one time per endpoint because they do not have a hash.
3. The Threat Info shows the data of the threat itself
- See all details of the threat: Path, Command line arguments, Process user, Publisher name, Signer identity (certification ID), Signature verification, Originating process, SHA1 hash, Initiated by (how the threat was generated), Detecting engine, Classification, File size, Storyline, and Threat ID.
- Click the hash and see options to search for it in Recorded Future, Open in Virus Total, or copy the hash.
- To copy all threat data to clipboard, click Copy. This copies the available data about the threat and the endpoint to use outside of the Management Console. If Kubernetes data is available, those details are copied also. Fields that show N/A are not copied.
- To download the threat file click Fetch Threat File, for example, to test it in a sandbox. Make sure to follow the procedure to get the file.
Tip: Click a detail to open a quick actions menu and see what you can do with it. For example:
4. The Endpoint Details show the current status and details at detection time.
- See the current status, whether online or offline, and if the Network status is Enabled (connected) or Disabled (disconnected from the network).
- If the endpoint is on Docker or Kubernetes, the container information shows in a Kubernetes or Docker tab.
- Click the endpoint name to open a quick actions menu. From here you can run these actions, based on your role and permissions:
- Open Endpoint - Jump to the Endpoint Details for the most current endpoint information.
- Remote Shell - Non-functional - instead use Remote Background Management
- Show threats on the Threats page - Opens the threat page filtered for all threats on the endpoint.
- Disconnect from Network - Puts an endpoint in network quarantine.
- Copy - Copies the endpoint name for you to paste elsewhere.
- See the details at detection time. From management version Kauai, the data of the endpoint at detection time is saved. This includes the Agent's scope, version, UUID, and policy, and the endpoint's IP addresses and domain.
- The threat was detected on an older Agent version that did not support a specific capability. Now the Agent is upgraded so it is protected from this type of threat.
- See the Subscription time, when the Agent registered to the Management Console for the first time. If it is a new Agent, see if it is Pending Reboot to enable the Behavioral AI engines.
- The endpoint's scope might have changed since detection, for example if it moved to a different Dynamic group. The policy settings can change based on the new scope.
Tip: Click a detail to open a quick actions menu and see what you can do with it.
If an endpoint is disconnected, the option shows Reconnect.
For threats that occurred on management versions before Kauai, only the Agent version and policy from detection time will show.
Use the information shown to understand the situation at the time of the threat. For example:
5. Threat Indicators show why the engine detected the incident
- The indicators show what behavior the engine detected that marked the incident as malicious or suspicious.
- Indicators for Behavioral AI detections include references to the Mitre Attack Matrix, and use the Mitre methodology and terminology for easy cross-reference. Click a link to learn about the TTP on the MITRE website.
You can add notes to threats to describe actions you took on the threat and why, or to record relevant information. Link in the notes are clickable. For example, add a link to an external ticket.
All users with permissions to see the threat can add notes, but only the author of a note can Edit or Delete it.
To add Notes:
- In the Forensics Page, click Notes
- Click Add new
- Enter your note and click Send
To add the same Note to multiple threats:
- If you add a Note from the Mitigation Action window and select Apply to all of instances of this threat, the same note is added to all of the instances.
- If you select multiple threats in the Threats table and select Threat Actions > Add a Note, the same note is added to all selected threats.
Choose a Next Step
At this point your initial analysis is probably completed. Decide what to do next.
- For static threats, where a file did not run, or was stopped before it ran:
- Decide if it is a true positive and change the Analyst Verdict accordingly.
- Decide if any further mitigation or threat actions are required.
- Remember to change the Incident Status to Resolved when you are finished.
- For dynamic threats, where a process, or group of processes ran and made changes:
From Kauai SP2, you can see the Detection Type, Dynamic or Static, in the threat details.
For all threats: You can see the Timeline to review all information about the threat, endpoint, and hash to understand what happened, when, and by whom.
The timeline gathers all information about the threat, endpoint, and hash so you can understand what happened, when, and by whom. It includes:
- Threat status changes, mitigation actions, status changes, analyst verdict changes, and notes.
- Endpoint-related activities from the detection time until the threat is marked as benign, mitigated, or resolved.
- Exclusion and blacklist entries related to the hash of the threat, that are created in the endpoint's EDR Policy
The timeline can start before the detection time. For example, if someone added this hash to the blacklist and then the threat was detected based on the user-defined blacklist engine.
Using the Timeline:
- By default all activities show. Click Filters to see the filters available and select which events to include.
- When you scroll down, use the purple arrow to jump back to the top
- If a new event occurs while you are viewing the timeline, a New events button shows. Click it to jump to the new events.
- Click the magnifying glass to search all events for a string. This includes names in the Management Console and free text.
- To use the timeline details for a deeper analysis outside of the Management Console, you can export the activities in the timeline.
To export the Timeline log of events:
The events that are open are exported. For example, if you filtered for Endpoint, only events on the endpoint will be in the export file.
- In the Incident Details of a threat, click the Timeline tab
- Click Export
The Timeline is downloaded as a .csv file. The file is saved to your computer with the threat name and date.
To download a Mitigation Report from the Timeline:
The Mitigation Report gives you detailed information for each mitigation action taken on a threat.
- In the Incident Details of a threat, click the Timeline tab.
- Optional: Click Filters and select Mitigation, to see only mitigation activities.
- A download icon shows next to mitigation activities for Agents of supported versions. Click the icon next to a mitigation activity.
The report downloads to your browser as a .csv file.
To see all events of a dynamic threat (detected by a Behavioral AI engine) in a graphical process tree and a table view, open the Explore tab.
For static threats, where a file did not run, or was stopped before it ran, the tab shows No Processes found for this threat.
From Kauai SP2, you can see the Detection Type, Dynamic or Static, in the threat details.
To use the Process tree:
- If available, click the plus sign (+) in a node to see its children, or Load more to see more nodes.
- Drag and drop the tree.
- Zoom in and out. Click Full Screen Mode to see only the tree in your browser window.
- In the Processes menu on the left, select a process to view in the tree. By default the root process is shown. Click Search Processes to search for a specific process in the storyline.
- Click a node to see its details in the Process Summary on the right.
- When you select a node, see where it falls in the timeline below.
The events table is also filtered to show events related to that node.
A table of events related to the threat shows below the process tree and timeline. The table has tabs for different event types: File, Network Actions, Processes, Indicators, and Registry.
To use the events table:
- The All Events tab shows all of the different events combined in one list, sorted by time in ascending order. Use this to understand the order of events in a tabular view.
- Each event shows up to six attributes that are the most important one for that event type. Note that each event shows different attributes in this view.
- To only see events of a certain category, such as Process events, click that tab.
- When a node is selected in the tree, the events table is filtered to show events for that node. A smaller number of events shows in the tabs. Click Clear Filter to show the events for the whole storyline.
- The table shows up to 100,000 events per threat. If the threat has more than this number of events, a message shows Partial Story.
- We recommend that you use the default columns and order for each tab. You can click Columns to select which to show or drag and drop columns in the table to change their order.
To see the root of the Storyline in the tree and in the table:
- Under the timeline, click Go to root.
The root process of the storyline is selected in the process tree, and the events in the table are filtered for that process.
To export the current view of the Process table: