Incidents
  • 31 Oct 2023
  • 5 Minutes to read
  • Contributors
  • PDF

Incidents

  • PDF

Article summary

Overview

Incidents refer to a set of correlated alerts. Interceptor automatically correlates alerts into incidents to reduce the workload for analysts.

Cyberattacks do not happen over the course of a single alert

Cyberattacks involve different techniques. When these exploitations occur, Interceptor provides different alerts at every stage of an attack, and then correlates them together to provide context on what is happening in your network.

For example, to gain initial access, an attacker might use a brute force attack on a remote desktop protocol server, where they can then move laterally to deploy malware, using unprotected Windows shares, to call its command and control the server. This malware will establish an HTTP reverse tunnel to an IP address that has never before been observed in the network. An example of an incident with high-diversity of artifacts is shown below:

Incident with high diversity of artifacts

An example of an incident with a low-diversity of artifacts can be seen in this next image. In this case, every artifact type (Source IP, destination IP, alert policy, and domain) has only one distinct value:

Incident with low diversity of artifacts

Another indication of a malicious incident is the MITRE Matrix view. This can be found in the top-right corner of the incident view. This view provides details of the incident investigation depending on the severity of the incident. For example, the severity of an incident is impacted by the number of distinct MITRE techniques; the more techniques that belong to an incident, the higher the severity.

Two examples of the MITRE ATT&CK matrix:

Higher MITRE matrix technics

Lower MITRE matric

Accessing Incidents

To access Incidents, go to the Cybersecurity ▶ Incidents window.

Setting the Reporting Period

You can set the reporting period from the Time Range menu, as shown below:

setting reporting time.gif

Viewing Incident Details

Hover on an incident or click in the row, from the table with that same information, to view details of the incident, including:

  • Severity Index
  • Current Status
  • Number of Alerts
  • Created, Last modified and Time of Last Alert

To modify the name of the incident, click the pencil icon next to the default incident name in the top-left corner.

How to modify incident name

Incident Severity

Incidents are categorized as follows:

  • 0-3 Low severity (green)
  • 3-5 Medium severity (yellow)
  • 5-7 High severity (orange)
  • 7+ Critical severity (red)

Investigating an Incident

Click Investigate to show more information about an incident. Information includes details such as when the incident was created, the time the last alert was detected within the incident, and when the incident was last modified. Last modified represents the last time a user has modified the incident, such as changing the status of a incident from New to In progress.

Open an incident

Incident Status

To change the incident status, select an incident and click the Status drop-down menu to choose the required value. Incidents have the following statuses:

  • New
  • In Progress
  • Closed
  • Resolved

Once you change an incident from New to In progress, it cannot be switched back to New. If, however, an incident is Closed, it can be re-opened. If an incident is Resolved or Closed , it cannot be switched back to New.


Note: Alerts cannot be added to Incidents that are in Closed, Resolved, or In Progress state.

Defining Closed and Resolved Incidents

A Closed status indicates that the incident did not require remediation and was closed because it was determined that there was no real threat. Any new alert that comes in after an incident is closed will be a opened as a new incident.

A Resolved status means that the incident was malicious and required and received remediation procedures. This is an incident that has been fixed.

Filtering and Data Copying

To filter alerts in the incident, click any of the cells in the Alerts table. This enables you to add the value of the cell to the action bar, and then click FILTER ICON or CROSSED FILTER ICON to add them to the filter. When adding the alert to the filter, you can choose Include or Exclude to have the alerts included or excluded respectively.

To copy the value of the cell, click the COPY ICON.

Working with Incident Alerts

To see all events of an Incident in the Alerts tab, click the following button:

see_alerts.jpg

This will redirect you to the Alerts tab with a filter pre-set that includes the incident ID.

For more information on how to work with Alerts, refer to the Alerts article here.

Distribution Settings and Correlation

You can change the way the columns appear in the Distribution with correlation window, which is located in the distribution settings. The values that can be shown or hidden are:

  • Source IP
  • Destination IP
  • Domain
  • Alert Policy
  • Paired IP addresses

From here, you can adjust the column width and set text to Small, Medium, Large or Fit.

The Fit option automatically sizes the display to fit perfectly in the screen and avoids truncated information.

You can move values around or click on a value to use filters to include or exclude these values from the view of alerts.

GIF 2021-12-12 7-34-44 PM.gif

Top Detected Techniques

Click the right panel to see Top Detected Techniques, which gives a breakdown of the alerts in the incident by MITRE matrix techniques.

To see all alerts belonging to a specific technique, click the specific key Mitre Matrix. This provides you with another view that hackers can use to attack an environment.

Open MITRE matrix

Comments and Status Section

You can see the history of an incident status and add comments on the investigation in the Comment and Status section. This is a useful tool to track changes in status and view a log of comments.

Incident comments

Alert Cluster section

An alert cluster is a set of similar alerts that happened within an incident. Unique alert clusters that an incident consists of display in the Clustered Alerts section. This section shows how many clusters and how many alerts per cluster there are. Clicking a row enables the See cluster button that would lead to the alerts overview with filter on the selected cluster ID.

image.png

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.