Detection
The Detection page in the incident detail displays data associated with the incident that is derived from events, judgments, and indicators. By default, the table displays all events from when the incident was created (original events), auto-enriched or manually investigated. You can filter the types of events to narrow the list of results in the table.
Each row in the table includes data from an event that was initially involved with the incident, or events and indicators included in the saved investigations that are linked to the incident.
Column Name |
Description |
---|---|
First Seen |
Date and time the sighting was first observed. The sightings are sorted by timestamp and you can choose to sort newest to oldest (Ascending) or oldest to newest (Descending) using the sort icon in the column heading. |
Severity |
The threat level given to the event (Critical, High, Medium, Low, None, Unknown, Info). You can sort the events by highest to lowest severity (Descending) or lowest to highest severity (Ascending) using the sort icon in the column heading. |
Source |
Cisco XDR integration module or source that produced the sighting. Click the Source link to open the event in the originating product. |
Indicators |
List of indicators the sighting is related to via a sighting-of relationship. |
Observables |
Any observables that were contained in the event, and dispositions of the observables taken from verdicts. The observables are color-coded and sorted based on the disposition. Click the (Pivot Menu) icon next to the observable name to view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See the Pivot Menu help topic for more information. |
Assets |
The assets that were targeted in the sighting; where the displayed asset values are based on strong identifier types. The assets are color-coded based the asset type. Click the (Pivot Menu) icon next to the observable name to view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See the Pivot Menu help topic for more information. |
You can filter the events by type, source, and severity to narrow the list of results in the table.
Filter by Type
The Type menu allows you to display all events, original events, or investigated events.
Click the Type drop-down menu and choose which events you want displayed in the list (All, Original, or Investigated). All is selected by default.
Filter by Source
The Source menu allows you filter through events that were promoted from specific integration modules. All modules are automatically shown by default.
Click the Source drop-down menu and check the check boxes next to the integration modules that promoted the events. When you select a single module in the filter, the name of the module is displayed on the Source filter label; when multiple modules are selected, the number of selections is displayed on the label. You can click Select All to quickly include or exclude modules.
The number of selections is always visible on the Clear button in the upper right corner of the drop-down menu. To remove your selections, click the Clear button.
If the event contains 5 or more modules, a Search bar is visible to enable you to narrow the filter options even further.
Filter by Severity
The Severity menu allows you display events based on the severity level (All, Critical, High, Medium, Low, None, Unknown, Info).
Click the Severity drop-down menu and choose the severity level of the events and indicators that you want displayed in the list (All is selected by default).
When you click an event in the list, the Event drawer opens where you can quickly view the details of the event.
The Event drawer shows the following information about the selected event.
Name |
Name of the event. |
First Seen |
The date and time when the event was first sighted. |
Severity |
The severity level assigned to the event. |
Reported by |
The source and module that reported the event. |
Short description |
Expand the panel to view the condensed description of the event. |
Long description |
Expand the panel to view the observable type, description, the earliest and latest observation time, and any associated alerts. |
Relations |
Expand the panel to view the total number of observables that had a relationship to the selected sighting, and a list that shows whether the observable was connected to, accessed by, or communicated with the observable. Click the (Pivot Menu) icon next to each observable to investigate it or perform additional tasks. See the Pivot Menu help topic for more information. |
Indicators |
Expand the panel to view the total number of indicators that the sighting is related to and a list that shows the incidents. |
Assets |
Expand the panel to view the total number of assets that were targeted in the sighting; where the displayed asset values are based on strong identifier types. The assets are color-coded based on the asset type. Click the (Pivot Menu) icon next to each asset to investigate it or perform additional tasks. See the Pivot Menu help topic for more information. |
Observables |
Expand the panel to view the total number of observables that were contained in the sighting, and a list that shows the observables and dispositions taken from verdicts. The observables are color-coded and sorted based on the disposition. Click the (Pivot Menu) icon next to each asset to investigate it or perform additional tasks. See the Pivot Menu help topic for more information. |