Managing Incidents in Analyze

See all threats, filter, search, and run actions from Analyze > Threats table

  • Click a threat to open the Incident details
  • Threats with the same hash, are grouped together. Click the group to see each threat incident in a new table
  • Use the Actions menus above the table to run actions on one or more selected threats: Run threat and mitigation actions, connect or disconnect endpoints, change the analyst verdict, or change the incident status
  • Select a time period - The time period you select will open in your next session as well
  • The Threats table is expanded to show more information at a glance - Select which columns show, and drag and drop column headers to change their order - Your customized view shows each time you view the page

Examples of how to use threat filters:

  • To see new threats, filter for:
    • Threat mitigation status - Not mitigated
    • Incident status - Unresolved
  • To find threats that require a reboot to complete mitigation, filter for: Reboot required - Yes
  • To see what your team is working on, filter for: Incident status - In progress
  • To find threats that were blocked, filter for Mitigated preemptively - Yes.

Note: Threats on Linux endpoints are not blocked preemptively

Incidents Filters

Filters Valid Values
Free text search

Filename (partial strings by default: extension is valid search string), File Path, Endpoint Name, Threat Details (Detection name), Content Hash (SHA1), Agent UUID, Agent version at Detection or Current, Domain (At Detection Time), Command Line Arguments, Initiated By (Username), Storyline, Originated Process, Publisher Name, Cluster Name, Node Name, Namespace Name, Controller Name, Pod Name, Image Name, Namespace Labels, Controller Labels, Pod Labels, Container Labels External Ticket ID, All - Searches in all types

Threat mitigation status Not Mitigated, Mitigated, Marked as benign
Confidence level Malicious, Suspicious, N/A
Analyst verdict Suspicious, True positive, False positive, Undefined
Incident status Resolved, In progress, Unresolved
Pending actions Yes, No
Action failed Yes, No
Reboot required Yes, No
OS Windows, macOS, Linux, Windows Legacy
OS version Various OS versions
Engine Agent engines that detected the threat.
Classification Category of threat
Initiated by How the threat was generated:Agent policy, Deep Visibility command, Full Disk Scan, Local Agent command, Management console.
Endpoint connectivity Offline, Online
Mitigated preemptively Yes, No
Note exists Yes, No
External ticket exists Yes, No. Refers to tickets added and modified by Vigilance or users through API.

Detection Engines

Engine Description
Reputation An engine that uses the SolarWinds Cloud and user-defined Blacklist to make sure that no known malicious files are written to the disk or executed. Shows for detections from Management versions before Kauai.
SentinelOne Cloud An engine that blocks hashes that the SentinelOne Cloud defines as malicious. This makes sure that no known malicious files are written to the disk or executed (shows instead of Reputation from version Kauai).
User-Defined Blacklist An engine that blocks hashes that your team defines as malicious for your environment (shows instead of Reputation from version Kauai).
On-Write DFI A Static AI engine that inspects for malicious files written to the disk. It supports files that match the PE format and EICAR test files.
On-Write DFI Suspicious A Static AI engine that inspects for suspicious files written to the disk. It supports files that match the PE format and EICAR test files.
Documents, Scripts A Behavioral AI engine that focuses on all types of documents and scripts.
DBT - Executables A Behavioral AI engine that detects malicious activities in real-time, when processes execute.
Potentially Unwanted Applications A Static AI engine on macOS devices that inspects applications that are not malicious, but are considered unsuitable for business networks.
Lateral Movement A Behavioral AI engine that detects attacks that enter the network and spread inside.
Anti Exploitation / Fileless A Behavioral AI engine, focused on exploits and all fileless attack attempts, such as web-related and command line exploits.
Detect Interactive Threat A Behavioral AI engine that detects malicious commands in interactive sessions. This engine detects interactive threats that focus on insider threats (for example, an authenticated user runs malicious actions from PowerShell).
Intrusion Detection A Behavioral AI engine that detects malicious commands in interactive sessions. This engine detects interactive threats that focus on insider threats (for example, an authenticated user runs malicious actions from a CMD or PowerShell command line).
Remote Shell All threats that are generated during a remote shell session are classified under this engine.