Incidents

The Cisco XDR Incidents feature helps you minimize the time spent on detection and response of correlated security events by providing the most critical information needed to detect, triage, investigate, and respond all in one place. With risk-based prioritization of security detections, you can focus on the most critical incidents and view recommendations that enable you to immediately diagnose, contain, and remediate the incident.

Incidents are promoted to Cisco XDR from correlated attack chains in Cisco Secure Cloud Analytics (now a part of Cisco XDR). By correlating alerts which could be part of a larger threat into an attack chain, it reduces the time typically required when investigating individual alerts. The attack chains are ranked to help you prioritize your investigation.

Secure Cloud Analytics uses extracted alert meta data to determine what the alerts have in common, which are referred to as common indicators. Common indicators include devices, IP addresses, host names, and user names. The MITRE ATT&CK® framework is then followed to further identify the tactics, techniques, and procedures (TTPs) to model the sequencing of actions and threat behaviors which could be early indications of an attack.

With Cisco XDR Incidents feature, you can:

  • View a list of incidents, prioritized by risk.

  • Open the Incident drawer and view a high-level summary of the incident in one place.

  • Dive deeper into the incident detail to gain an understanding of the threat and quickly triage and remediate it.

Click Incidents in the left menu to open the Incidents page and view the incidents that have been promoted to Cisco XDR.

Incidents

Incidents are scored and prioritized for display on the Incidents page using an overall priority score calculated from detection risk (including incident severity and TTP-based risk of financial loss) and asset value at risk (based on the value of assets involved in the incident). The priority score is color-coded based on the priority (see Color and Icon Key for more information).

High-level summary metrics are displayed in the upper portion of the page that show the total number of Incidents, New Incidents, Open Incidents, and Unassigned Incidents. Click any of the cards to filter the list of incidents based on the category.

The Incidents list includes the priority risk score assigned to the incident, the name of the incident, the source or product that promoted it to Cisco XDR, when the incident was created, who has been assigned to it, and the current status. The incidents are sorted based on the priority score. Click the Source link to open the event in the originating product.

From this page, you can perform the following tasks:

By default, the incidents are displayed in the list based on the priority score. You can search, filter, and sort the incidents to narrow the display to only those incidents you want to view.

You can scroll the list of incidents using the scroll bar on the page or the up and down arrow keys on your keyboard.

Use the Search bar above the list of incidents to find specific incidents. The search is triggered as you enter the criteria.

Search Incidents

The search functionality uses Lucene Query Syntax and allows for free-form text search of the incident title, short_description, long description, and asset name. You can also specify specific fields to search, such as status:New, which would limit the view to only New incidents.

Search entries are not case sensitive and wildcards are supported, so if you want to match an incident with endpoint in the summary, search for *endpoint.

The incidents that are displayed in the list are those that have been promoted updated during the specified date range. By default, the list includes incidents promoted within the last 30 days. You can narrow the display of incidents based on a specific time frame using the Date Range menu above the Incidents list.

Date Range Menu

Click the Date Range drop-down menu and choose the date range for the incidents you want to be displayed:

  • Last 24 hours - Displays incidents promoted within the last 24 hours that match the filter criteria.
  • Last 7 days - Displays incidents promoted within the last 7 days that match the filter criteria.
  • Last 30 days - Displays incidents promoted within the last 30 days that match the filter criteria. This is the default setting.
  • Last Year - Displays incidents promoted within the last year that match the filter criteria. Incidents are only available for one year.
  • Custom Range - Displays the incidents promoted within the specified start and end date, and that match the filter criteria.

Filter the display of incidents based on assignment, status, or priority score using the Filters menu above the list of incidents or by clicking any of the filter buttons across the upper portion of the Incidents page (Total Incidents, New Incidents, Open Incidents, or Unassigned Incidents).

Perform the following steps to use the Filters menu to narrow the display of incidents by assignment, status, or priority score:

  1. Click the (Filters) icon to open the Filters menu.

    2. Filter Incidents Menu

  2. Check the check boxes next to the filter options for those incidents you want to be displayed:

    • Assignment - Displays incidents with the selected assignment value (Assigned to Me, Assigned to Others, or Unassigned). If you do not select an assignment value, all incidents with all assignment values are displayed in the list.

    • Status - Displays incidents with the selected status (Closed, Containment Achieved, Incident Reported, New, Open, Rejected, Restoration Achieved, and Stalled). If you do not select a status filter, all incidents are displayed in the list.

    • Minimum Priority Score - Displays incidents equal to or greater than the specified priority score. Enter a number between 0 and 1000. Only incidents with a priority score greater than or equal to this value will be shown.

  3. Click Apply to save your filter options.

    The incidents list will refresh and only display those incidents that match the date range and filter criteria.

    The total number of matching results is displayed across the top of the incidents list, along with filter chips indicating the filter selections. To remove a selected filter, click the X in the filter chip and the list will refresh.

Click the (Sort) icon in the column headers in the Incidents table to sort the incidents by ascending or descending order, lowest to highest order, or alphabetically:

  • Priority - Sort the incidents by lowest to highest priority, or highest to lowest priority.

  • Name - Sort the incidents alphabetically.

  • Source - Sort the incidents alphabetically by the module that promoted the event to an incident.

  • Created - Sort the incidents by newest to oldest, or oldest to newest.

  • Status - Sort the incidents alphabetically by status.

The status of the incident shows where it is in its lifecycle. All incidents start out with a status of New, which indicates that they have been reported by a system but have not been confirmed. As the incidents are triaged, they can be moved to Open status if deemed worthy of continuing an incident response process for the event. When finished, they can be marked as Closed. Alternatively, an incident can be immediately closed if it is deemed to be inaccurate or uninteresting.

Note: When the incident detail for a new, unassigned incident is first viewed, the incident status is automatically changed to Open.

You can change the status of a single or multiple incidents from the Incidents page.

Note: You can also change the status of a specific incident from the header on the Incident Detail page.

To change the status of a single incident from the Incidents page, click the drop-down menu in the Status column and choose the new status.

Change Single Incident Status

To change the status of multiple incidents, check the check boxes next to the incidents in the Incidents list and then click the Selector drop-down menu in the column header and choose the new status.

Change Multiple Incidents Status

Information: When the status of an incident from Cisco Secure Endpoint is closed in Cisco XDR Incidents, the compromise event in Secure Endpoint that is linked to the incident is set to Resolved. No other action is required in Secure Endpoint.

You can assign an incident to users from the Assigned column on the Incidents page or in the Assigned field in the header on the Incident Detail page.

If the incident has not yet been assigned, the Unassigned button is displayed. When the incident is assigned, an avatar with the user's initials is displayed and you can hover over the avatar to view the user's full name in a tooltip.

Note: If a user navigates to the Incident Detail page for an incident that is Unassigned and has a status of New, the incident is automatically assigned to the current user and the status is changed to Open.

  1. Click the Unassigned button or any of the avatars in the Assigned column of the Incidents table.

    2. If there are no users assigned to the incident, the current user is automatically suggested with the check box next to their name unchecked. Otherwise, the list of users already assigned to incident is displayed with the check box checked.

    Assignees

  2. Begin entering the user's name in the Search field and then check the check box next to their name in the list that is displayed. The matching letters entered in the Search field appear bold in the list that is returned to easily find the name of the assignee.

    3. To remove an assignee, uncheck the check box next to their name.

  3. Click outside the Assignee menu to apply your selection.

    4. When an incident is assigned to another user, they will receive a notification in the (Notifications) icon in the Cisco XDR header and ribbon. For more information about this feature, see the Notifications help topic.

When you click an incident in the list, the Incident drawer opens where you can quickly understand the incident at a high level. You can scroll the list on the Incidents page using the up and down arrow keys on your keyboard. If the Incident drawer is open, the drawer is populated with information for the selected incident as you scroll.

Incident Drawer

The incident drawer shows the following information to gain a quick high-level understanding of the impact the incident may have and the necessary information to take immediate action:

Drawer Header

The upper portion of the drawer shows the following information about the incident:

Priority

The incident priority score is displayed in the uppermost portion of the incident drawer to give you immediate insight to the risk involved, and is color-coded based on the priority. The priority score is calculated from detection risk (including incident severity and TTP-based risk of financial loss) and asset value at risk (based on the value of assets involved in the incident).

Status

The current state of the incident and where it stands in regards to remediation. For more information, see Change Incident Status.

Title

The incident name that is displayed in the Incidents list is also displayed in the upper portion of the drawer.

Reported by

The source or product that reported the incident and the relative amount of time from the date and time the incident was created; for example: 20 seconds, 2 hours, 6 days, 5 months, 2 years.

Click the source link to open the event in the originating product.

Assigned

Shows who has been assigned to the incident. Hover over the avatar to view the full user name.

You cannot assign users to the incident from this field. For more information, see Assign Incident.

MITRE

The MITRE TTP widget shows the MITRE ATT&CK® tactics impacting the incident. Hover over the widget to view a popup showing the specific MITRE tactics.

MITRE TTP Widget

Click View Details in the popup to view information about the specific tactics and techniques.

Priority Score Breakdown

Expand the Priority Score Breakdown section and view how the priority score was calculated from Detection Risk (including incident severity and TTP-based risk of financial loss) and Asset Value at Risk (based on the value of assets involved in the incident).

Short Description

Expand the Short description section and view the short description of the incident. The information varies depending on the reporting product.

The (AI-generated) icon is displayed in front of the Short Description label if the description was generated by Cisco AI and a message is displayed in the lower portion of the panel.

Long Description

Expand the Long description section and view the metadata included in the long description of the incident, such as Urgency, Event time, Promoted at (time), Reporting Device Type and ID, Security Intelligence Event and Category, and Promoting Reason. The Long Description will vary depending on the reporting product.

The (AI-generated) icon is displayed in front of the Long Description label if the description was generated by Cisco AI and a message is displayed in the lower portion of the panel.

Assets

The Assets panel is expanded by default and displays the total number of unique assets through all of the events related to the selected incident. These are the same assets that are displayed in the Assets drawer on this page and on the Overview page in the incident detail.

The assets are represented by an icon that allows you to easily distinguish the asset type.

Each asset includes a (Pivot Menu) icon that enables you to take action on it. You can perform some actions directly in the Pivot menu or pivot to the integrated product to perform additional actions.

View Incident Detail

To view more information about the incident, click View Incident Detail in the lower portion of the drawer to open the Incident Detail page, which includes an overview of the incident, event data associated with it, response actions, and a work log. For more information, see the Incident Detail help topic.

To close the drawer, click the (Close) icon in the upper right corner.

Linking incidents improves overall incident management by aggregating relevant incidents to create a bi-directional relationship between them, which helps streamline the incident response workflow. You can link two or more incidents. After incidents are linked, you can view the relationship between these incidents in the Linked Incidents drawer in the incident detail. You can also unlink incidents from the drawer.

Perform the following steps to link incidents:

  1. In the Incidents list, check the check boxes next to the incidents you want to link. Use the Filters and Date Range menus to narrow the display of incidents.

  2. Click the Selector drop-down and choose Link.

    Link Incident Menu

    The incidents are linked and displayed in the header and Incidents drawer in the incident detail.

For more information, see the Incident Detail help topic.

You can delete a single incident or multiple incidents that are displayed on the Incidents page.

Note: Deleting incidents is permanent and cannot be undone.

  1. In the Incidents list, check the check boxes next to the incidents you want to delete. Use the Filters and Date Range menus to narrow the display of incidents.

  2. Click the Selector drop-down and choose Delete.

    Delete Incident Menu

  3. On the Delete Incident Confirmation dialog box, check the I am absolutely sure I want to do this check box and then click Delete.

    A success message is displayed in the lower right corner of the screen and the screen is refreshed with the incident removed.