Incidents

The Cisco XDR Incidents feature helps you minimize the time spent on detection and response of correlated security events by providing the most critical information needed to detect, triage, investigate, and respond all in one place. With risk-based prioritization of security detections, you can focus on the most critical incidents and view recommendations that enable you to immediately diagnose, contain, and remediate the incident.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. Incidents are ranked to help you prioritize your investigation.

Cisco XDR uses extracted meta data to determine what the events have in common, which are referred to as common indicators. Common indicators include devices, IP addresses, host names, user names, and file hashes. The MITRE ATT&CK® framework is then followed to further identify the tactics, techniques, and procedures (TTPs) to model the sequencing of actions and threat behaviors which could be early indications of an attack.

Incidents are updated as new events occur, and multiple incidents can be merged as additional common indicators are found. The merged incident contains the common indicators from the previous incidents, which are automatically closed. If there are no additional common indicators found in 7 days, the incident will no longer be updated. A new incident is created if more correlated events and common indicators are seen after 7 days.

With Cisco XDR Incidents feature, you can:

  • View a list of incidents, prioritized by risk.

  • Open the Incident drawer and view a high-level summary of the incident in one place.

  • Dive deeper into the incident detail to gain an understanding of the threat and quickly triage and remediate it.

Click Incidents in the left menu to open the Incidents page and view the incidents that have been promoted to Cisco XDR.

Incidents

Incidents are scored and prioritized for display on the Incidents page using an overall priority score calculated from detection risk (including incident severity and TTP-based risk of financial loss) and asset value at risk (based on the value of assets involved in the incident). The priority score is color-coded based on the priority (see Color and Icon Key for more information).

Note: Improvements have been made to the formula used to calculate the overall priority score and the priority score for new incidents may be lower than the priority score calculated prior to the 2.29 (October 23rd, 2024) release. This may cause the new incidents to appear below the previous incidents in the incidents list. The updated formula improved the way TTPs are factored into the overall incident priority score, providing a more accurate reflection of the priority of incidents that require response actions.

High-level summary metrics are displayed in the upper portion of the page that show the total number of Incidents, New Incidents, Open Incidents, and Unassigned Incidents. Click any of the cards to filter the list of incidents based on the category.

By default, incidents that are marked with the Closed status are hidden from the Incidents list. You can display incidents with the Closed status by clicking the Include closed incidents toggle to on.

The Incidents list includes the priority risk score assigned to the incident, the name of the incident, the source or product that promoted it to Cisco XDR, when the incident was created, who has been assigned to it, and the current status. The incidents are sorted based on the priority score. Click the Source link to open the event in the originating product.

From this page, you can perform the following tasks:

By default, the incidents are displayed in the list based on the priority score. You can search, filter, and sort the incidents to narrow the display to only those incidents you want to view.

You can scroll the list of incidents using the scroll bar on the page or the up and down arrow keys on your keyboard.

Use the Search field above the list of incidents to find specific incidents. The search is triggered as you enter the criteria. You can search for incidents by title, short_description, long description, and asset name. Search entries are not case sensitive.

The incidents that are displayed in the list are those that have been promoted updated during the specified date range. By default, the list includes incidents promoted within the last 30 days. You can narrow the display of incidents based on a specific time frame using the Date Range menu above the Incidents list.

Date Range Menu

Click the Date Range drop-down menu and choose the date range for the incidents you want to be displayed:

  • Last 24 hours - Displays incidents promoted within the last 24 hours that match the filter criteria.
  • Last 7 days - Displays incidents promoted within the last 7 days that match the filter criteria.
  • Last 30 days - Displays incidents promoted within the last 30 days that match the filter criteria. This is the default setting.
  • Last Year - Displays incidents promoted within the last year that match the filter criteria. Incidents are only available for one year.
  • Custom Range - Displays the incidents promoted within the specified start and end date, and that match the filter criteria.

Filter the display of incidents based on date range, assignment, status, or priority score using the Filters drawer by clicking the (Filters) icon above the list of incidents or by clicking any of the filter buttons across the upper portion of the Incidents page (Total Incidents, New Incidents, Open Incidents, or Unassigned Incidents).

Perform the following steps to use the Filters drawer to narrow the display of incidents by specific time frame, assignment, status, or priority score:

  1. Click the (Filters) icon to open the Filters drawer.

    2. Filter Incidents Drawer

  2. Configure the following filter options for those incidents you want to be displayed:

    • Include closed incidents - Click the toggle to on to display incidents with a Closed status in the incidents list. By default, the toggle is off and incidents that are marked with the Closed status are hidden from display.

    • Date Range - Choose the date range for the incidents you want to be displayed. For more information, see Filter Incidents by Date Range.

    • Status - From the drop-down list, check the check boxes next to the status to filter the incidents displayed in the incidents list.

    • Assignment - From the drop-down list, check the check boxes next to the assignment values to filter the incidents displayed in the incidents list. If you do not choose an assignment value, all incidents with all assignment values are displayed in the list.

    • Minimum Priority Score - Enter a number between 0 and 1000 to display incidents equal to or greater than the specified priority score. Only incidents with a priority score greater than or equal to this value will be shown.

  3. Click Apply to save your filter options.

    The incidents list will refresh and only display those incidents that match the date range and filter criteria.

    The Applied Filters area is displayed across the top of the incidents list. Click the (Expand) icon to display all the filter selections with the filter category and the filter tags. To remove a selected filter category, click the (Delete) icon or click the X in the filter tag to remove a specific selection within the filter category and the list will refresh.

Click the (Sort) icon in the column headers in the Incidents table to sort the incidents by ascending or descending order, lowest to highest order, or alphabetically:

  • Priority - Sort the incidents by lowest to highest priority, or highest to lowest priority.

  • Name - Sort the incidents alphabetically.

  • Source - Sort the incidents alphabetically by the module that promoted the event to an incident.

  • Created - Sort the incidents by newest to oldest, or oldest to newest.

  • Status - Sort the incidents alphabetically by status.

The status of the incident shows where it is in its lifecycle. All incidents start out with a status of New, which indicates that they have been reported by a system but have not been confirmed. As the incidents are triaged, they can be moved to Open status if deemed worthy of continuing an incident response process for the event. When finished, they can be marked as Closed. Alternatively, an incident can be immediately closed if it is deemed to be inaccurate or uninteresting.

Note: When the incident detail for a new, unassigned incident is first viewed, the incident status is automatically changed to Open.

You can change the status of a single or multiple incidents from the Incidents page.

Note: You can also change the status of a specific incident from the header on the Incident Detail page.

To change the status of a single incident from the Incidents page, click the drop-down menu in the Status column and choose the new status.

Change Single Incident Status

To change the status of multiple incidents, check the check boxes next to the incidents in the Incidents list and then click the Change Status drop-down menu in the bulk action bar and choose the new status.

Change Multiple Incidents Status

You can assign an incident to users from the Assigned column on the Incidents page or in the Assigned field in the header on the Incident Detail page.

If the incident has not yet been assigned, the Unassigned button is displayed. When the incident is assigned, an avatar with the user's initials is displayed and you can hover over the avatar to view the user's full name in a tooltip.

Note: If a user with an Incident Responder or Security Analyst role navigates to the Incident Detail page for an incident that is Unassigned and has a status of New, the incident is automatically assigned to the current user and the status is changed to Open.

  1. Click the Unassigned button or any of the avatars in the Assigned column of the Incidents table.

    2. If there are no users assigned to the incident, the current user is automatically suggested with the check box next to their name unchecked. Otherwise, the list of users already assigned to incident is displayed with the check box checked.

    Assignees

  2. Begin entering the user's name in the Search field and then check the check box next to their name in the list that is displayed. The matching letters entered in the Search field appear bold in the list that is returned to easily find the name of the assignee.

    3. To remove an assignee, uncheck the check box next to their name.

  3. Click outside the Assignee menu to apply your selection.

    4. When an incident is assigned to another user, they will receive a notification in the (Notifications) icon in the Cisco XDR header and ribbon. For more information about this feature, see the Notifications help topic.

When you click an incident in the list, the Incident drawer opens where you can quickly understand the incident at a high level. You can scroll the list on the Incidents page using the up and down arrow keys on your keyboard. If the Incident drawer is open, the drawer is populated with information for the selected incident as you scroll.

Incident Drawer

The incident drawer shows the following information to gain a quick high-level understanding of the impact the incident may have and the necessary information to take immediate action:

Drawer Header

The upper portion of the drawer shows the following information about the incident:

Title

The incident name that is displayed in the Incidents list is also displayed in the upper portion of the drawer.

Priority

The incident priority score is displayed in the uppermost portion of the incident drawer to give you immediate insight to the risk involved, and is color-coded based on the priority. The priority score is calculated from detection risk (including incident severity and TTP-based risk of financial loss) and asset value at risk (based on the value of assets involved in the incident).

Status

The current state of the incident and where it stands in regards to remediation. For more information, see Change Incident Status.

Reported by

The source or product that reported the incident and the relative amount of time from the date and time the incident was created; for example: 20 seconds, 2 hours, 6 days, 5 months, 2 years.

Click the source link to open the event in the originating product.

Assigned

Shows who has been assigned to the incident. Hover over the avatar to view the full user name.

You cannot assign users to the incident from this field. For more information, see Assign Incident.

MITRE

The MITRE TTP widget shows the MITRE ATT&CK® tactics impacting the incident. Hover over the widget to view a popup showing the specific MITRE tactics.

MITRE TTP Widget

Click View Details in the popup to view information about the specific tactics and techniques.

Priority Score Breakdown

Expand the Priority Score Breakdown section and view how the priority score was calculated from Detection Risk (including incident severity and TTP-based risk of financial loss) and Asset Value at Risk (based on the value of assets involved in the incident).

Summary

Expand the Summary section and view the summary of the incident. The information varies depending on the reporting product.

The AI-generated label is displayed at the end of the summary if the summary was generated by Cisco AI.

Description

Expand the Description section and view the metadata included in the description of the incident, such as Urgency, Event time, Promoted at (time), Reporting Device Type and ID, Security Intelligence Event and Category, and Promoting Reason. The Long Description will vary depending on the reporting product.

The AI-generated label is displayed at the end of description if the description was generated by Cisco AI.

Assets

The Assets panel is expanded by default and displays the total number of unique assets through all of the events related to the selected incident. These are the same assets that are displayed in the Assets drawer on this page and on the Overview page in the incident detail.

The assets are represented by an icon that allows you to easily distinguish the asset type.

Each asset includes a (Pivot Menu) icon that enables you to take action on it. You can perform some actions directly in the Pivot menu or pivot to the integrated product to perform additional actions.

View Incident Detail

To view more information about the incident, click View Incident Detail in the lower portion of the drawer to open the Incident Detail page, which includes an overview of the incident, event data associated with it, response actions, and a work log. For more information, see the Incident Detail help topic.

To close the drawer, click the (Close) icon in the upper right corner.

Linking incidents improves overall incident management by aggregating relevant incidents to create a bi-directional relationship between them, which helps streamline the incident response workflow. You can link two or more incidents. After incidents are linked, you can view the relationship between these incidents in the Linked Incidents drawer in the incident detail. You can also unlink incidents from the drawer.

Perform the following steps to link incidents:

  1. In the Incidents list, check the check boxes next to the incidents you want to link. Use the Filters drawer and Date Range menu to narrow the display of incidents.

  2. Click Link in the bulk action bar. The incidents are linked and displayed in the header and Linked Incident drawer in the incident detail.

For more information, see the Incident Detail help topic.

You can delete a single incident or multiple incidents that are displayed on the Incidents page.

Note: Deleting incidents is permanent and cannot be undone.

  1. In the Incidents list, check the check boxes next to the incidents you want to delete. Use the Filters drawer and Date Range menu to narrow the display of incidents.

  2. Click Delete in the bulk action bar.

  3. On the Delete Incident dialog box, check the I am sure I want to do this check box and then click Delete.

    A success message is displayed in the lower right corner of the screen and the screen is refreshed with the incident removed.