Detection

The Detection page in the incident detail displays data associated with the incident that is derived from events, judgments, and indicators. By default, the table displays all events from when the incident was created (original events), auto-enriched or manually investigated. You can filter the types of events to narrow the list of results in the table.

Each row in the table includes data from an event that was initially involved with the incident, or events and indicators included in the saved investigations that are linked to the incident.

Detection Table Column Descriptions

Column Name	Description
First Seen	Date and time the sighting was first observed. The sightings are sorted by timestamp and you can choose to sort newest to oldest (Ascending) or oldest to newest (Descending) using the sort icon in the column heading.
Severity	The threat level given to the event (Critical, High, Medium, Low, None, Unknown, Info). You can sort the events by highest to lowest severity (Descending) or lowest to highest severity (Ascending) using the sort icon in the column heading.
Source	Cisco XDR integration module or source that produced the sighting. Click the Source link to open the event in the originating product.
Indicators	List of indicators the sighting is related to via a sighting-of relationship.
Observables	Any observables that were contained in the event, and dispositions of the observables taken from verdicts. The observables are color-coded and sorted based on the disposition. Click the (Pivot Menu) icon next to the observable name to view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See the Pivot Menu help topic for more information.
Assets	The assets that were targeted in the sighting; where the displayed asset values are based on strong identifier types. The assets are color-coded based the asset type. Click the (Pivot Menu) icon next to the observable name to view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See the Pivot Menu help topic for more information.

Filter Events

You can filter the events by type, source, and severity to narrow the list of results in the table.

The Type menu allows you to display all events, original events, or investigated events.

Click the Type drop-down menu and choose which events you want displayed in the list (All, Original, or Investigated). All is selected by default.

The Source menu allows you filter through events that were promoted from specific integration modules. All modules are automatically shown by default.

Click the Source drop-down menu and check the check boxes next to the integration modules that promoted the events. When you select a single module in the filter, the name of the module is displayed on the Source filter label; when multiple modules are selected, the number of selections is displayed on the label. You can click Select All to quickly include or exclude modules.

The number of selections is always visible on the Clear button in the upper right corner of the drop-down menu. To remove your selections, click the Clear button.

If the event contains 5 or more modules, a Search bar is visible to enable you to narrow the filter options even further.

The Severity menu allows you display events based on the severity level (All, Critical, High, Medium, Low, None, Unknown, Info).

Click the Severity drop-down menu and choose the severity level of the events and indicators that you want displayed in the list (All is selected by default).

Filter Important Only

Check the Important only check box to show only events that have been deemed notable. An important event meets one or more of the following criteria:

First encounter of target or indicator
One of first 3 original events
Critical or high severity
MITRE ATT&CK data

View Summary of Event in Drawer

When you click an event in the list, the Event drawer opens where you can quickly view the details of the event.

Event Drawer Information

The Event drawer shows the following information about the selected event.

Name	Name of the event.
First Seen	The date and time when the event was first sighted.
Severity	The severity level assigned to the event.
Reported by	The source and module that reported the event.
Short description	Expand the panel to view the condensed description of the event.
Long description	Expand the panel to view the observable type, description, the earliest and latest observation time, and any associated alerts.
Relations	Expand the panel to view the total number of observables that had a relationship to the selected sighting, and a list that shows whether the observable was connected to, accessed by, or communicated with the observable. Click the (Pivot Menu) icon next to each observable to investigate it or perform additional tasks. See the Pivot Menu help topic for more information.
Indicators	Expand the panel to view the total number of indicators that the sighting is related to and a list that shows the incidents.
Assets	Expand the panel to view the total number of assets that were targeted in the sighting; where the displayed asset values are based on strong identifier types. The assets are color-coded based on the asset type. Click the (Pivot Menu) icon next to each asset to investigate it or perform additional tasks. See the Pivot Menu help topic for more information.
Observables	Expand the panel to view the total number of observables that were contained in the sighting, and a list that shows the observables and dispositions taken from verdicts. The observables are color-coded and sorted based on the disposition. Click the (Pivot Menu) icon next to each asset to investigate it or perform additional tasks. See the Pivot Menu help topic for more information.

Detection

Filter by Type

Filter by Source

Filter by Severity

Filter Important Only