Skip to main content

CLOUD SOLUTIONS

Investigating Incidents

The Incidents section helps you filter, investigate and take actions on all security events detected by Incidents Sensor over a specific time interval.

This section contains the following features:

  • Incidents: view and investigate incidents.

  • Blocklist: manage blocked files from incidents.

  • Search: query the security events database.

  • Custom rules: create custom rules for exclusions or detections

Note

Availability and functioning of these features may differ depending on the license included in your current plan.

The Incidents Page

Use the Incidents page to filter and manage security events.

the_incidents_page.png

This page contains the following areas:

  1. A window bar with tabs that include different incident types:

    • Extended Incidents: displays all the complex incidents detected at global level in your environment, that may affect your entire network.

    • Endpoint Incidents: displays all suspicious incidents detected at endpoint level, that require investigation and upon which no action was taken yet.

    • Detected Threats: displays all security events identified as threats by GravityZone prevention modules. These incidents are detected at endpoint level and are acted upon with actions predefined in the security policies applied to your environment.

  2. Filtering options to customize your grid:

  3. The Incidents grid, which displays a list of security events according to the applied filters.

Incidents Overview Bar

The Overview bar lists open incidents, top alerts, affected devices, among other relevant data, to give you a quick view of the overall situation on the threats your environment is facing.

edrOverviewBar.png
Filtering incidents from the Overview bar

You can filter the incidents list by selecting values in the Overview bar:

  • If you click a value in the Open incidents section it will display only the incidents with the selected level of severity.

  • If you click a value in the Top alerts section it will populate the search field with the alert name and display only the incidents where the alert was detected.

  • If you click a value in the Top techniques section it will populate the search field with the technique name and display only the incidents where the technique was detected.

  • If you click a value in the Top affected devices section, it will display only the incidents affecting the selected device.

The Filters Grid

The Incidents page allows you to choose what incidents to display by customizing the filters grid.

filteringButtonsIncidents.png

Find details of the available filtering options in the following table:

Filtering option

Details

Severity Score

The Severity Score is a number between 100 and 10, indicating how potentially dangerous a security event is. The higher the score, the more certain the event is dangerous. It provides context based on the attack indicators, and ATT&CK Techniques, if applicable.

To filter by the severity score, drag the slider bar to the chosen values. Or, you can use the number fields below the slider bar. Click OK to confirm the score selection.

See Severity Score for details on how GravityZone calculates the Severity Score.

Date

To filter by date:

  1. Click the calendar.png calendar icon and the Date field to open the date configuration page.

  2. Select the timeframe for incidents:

    • click the From and To tabs to select the dates defining the time interval.

      Note

      You can specify the exact time for the start and end dates, using the hours and minutes fields below the calendar.

    • You can also select a predetermined time frame, relative to the current time.

  3. Click Ok to apply the filter.

Status

Filter the incidents by their current status by checking one or more of the status options available in the Status drop-down menu:

  • Open: for uninvestigated security events

  • Investigating: for security events under investigation

  • False Positive: for security events labeled as false alarm

  • Closed: for security events with closed investigation

ID

Narrow the incident list by searching a specific security event ID number.

Company

Filter the incidents by the name of the company where the security events were triggered.

By default, the Incidents page displays incidents from all companies under your management.

Note

Only companies under your management with a valid XDR license will be displayed in the list.

Organization Impact

This column shows the number of affected endpoints and servers.

Last Kill Chain Phase

Filter the incidents by selecting a specific phase in the attack kill chain.

Endpoint

Narrow the incident list by searching a specific endpoint name from your managed network.

Attack Type

The attack type is a dynamic list of the most common types of attack, which changes based on the attack indicators found in the listed security events.

Alerts

This column displays the number of alerts triggered per incident.

Endpoint OS

This option filters the security events by operating system of involved endpoints.

Priority

This column indicates the priority of each incident.

Assigned to

This column indicates the user that the incident is assigned to.

Note

Filtering options may vary depending on the type of license key included in your current plan.

To search for more elements that are not visible in the filter grid, select one of the search options from the Search drop-down menu:

  • Alert name - 2 to 1,000 max. characters

  • ATT&CK Technique - 1 max. characters

  • Endpoint IP - 45 max. characters

  • MD5 - 32 max. characters

  • SHA256 - 64 max. characters

  • Node name - 360 max. characters

  • Username - 1,000 max. characters

The page will update automatically, loading only the security event cards matching the searched element. For a more granular search, you can create search queries in the Search page.

Viewing security events

The Incidents page displays a list of security events matching the selected filters.

By default, there are 20 events per page, bundled by date. The page auto-refreshes at regular intervals, as XDR triggers new events.

Each security event entry is listed in a rich card format, providing an overview of each incident, with information based on the selected filters.

Important

All security events older than 90 days are automatically deleted from the grid, and also from the security events repository, be it a complex incident or incidents detected at endpoint level.

  • Click the View Graph button to access the graphic visualization of the incident.

  • Click the View Events button to access the timeline of events comprising the incident .

Changing the Status of Security Events

The investigation status helps you keep track of incidents that have already been investigated, and marked as closed or false positive, incidents that are currently under investigation, and open, or new incidents that have yet to be analyzed.

Follow these steps to change the status of one or multiple security events at a time:

  1. Check the boxes of the security event cards that will undergo a status change.

    selectCardsStatus.png

    You can select them individually or by using the bulk selection options in the drop-down menu.

    Note

    You can also browse through several security event pages while keeping your selection.

    Click the Change Status button.

  2. Select the status option:

    changingStatus.png
    • Open - when the security event is not yet under investigation.

    • Investigating - when you have started investigating the event.

    • False Positive - when you analyzed the event and identified it as a false positive.

    • Closed - when you have done investigating.

    A box will open when changing the status of security events to False Positive or Closed, where you can leave a note on the reasons for changing the event status, for later consultation.

    bulkNote.png

    The note will be appended to the ones already existing inside the filtered incidents.

  3. Click Confirm to apply the selected status option.

Investigating an Extended Incident

Each extended incident has a dedicated view which displays correlated events that have occurred in your environment, offering you network-wide perspective on a potential staged attack.

Important

Availability of the XDR feature differs depending on the license included in your current plan.

  1. In the Extended Incident View tab, identify the security event you want to analyze and click the XDRViewIncidentIcon.pngView Incident button to open it.

    XDRViewGridIncident.png

    You can also click the card of any incident to open its side panel and quickly analyze the incident indicators, or click the View incident button to start an in-depth analysis.

    The incident opens by default in the Extended Incident Overview section.

  2. In the Overview tab you can see the root cause of the incident, as well as other insights on how the attack on your organization was performed. You can also see the techniques that were used, the company resources that were involved in the different stages of the kill chain.

    The Response widget provides you with recommendations and actions you can take for immediate containment of the most imminent threats.

    • Consult the Actions needed tab to see what actions you need to take to eliminate or minimize active threats.

    • Consult the Actions executed tab to see what actions have already been taken to eliminate or minimize threats.

    Note

    Learn more about actions you can take to mitigate threats in the Response section.

  3. Open the graph-edr.pngGraph view to see the graphic representation of the extended incident. Learn more about the Graph elements here.

    extendedIncidentGraphOverviewNoAreas.png
  4. Optionally, use the Activity panel to display the sequence of events either by time or by the relevance in the attack kill-chain.

  5. Select the interaction nodes with the highest severity, to analyze the details available in the side panel, including:

    • The source and target of the interaction.

    • The alerts that have spawned during this process and a summary of associated resources.

    Important

    Interactions marked red include alerts of high severity, and should be analyzed with priority.

    89937_1.png
    1. If you want to dig deeper, open each alert to display additional information, including alert indicators, artifacts involved, interactions, resources used, attack techniques, and recommendations.

      89937_2.png
  6. When viewing node details, you have several action options:

    • Use the Isolate host action to isolate the endpoint from the rest of the network.

    • Go to View full endpoint details > Investigation, and collect additional forensic data to aid you in the threat hunting process. For more details see Forensic Data Gathering.

    • Use the Remote Shell action to start a remote shell session mitigate threats directly on the affected endpoints. Learn more about remote shell sessions here.

  7. For compromised users, open the side panel of the user node and take actions such as:

    • Disable user - to disable the account of a user that has been involved in spreading the attack in your environment.

    • Force credentials reset - to enforce a password change for a specific user account at the next login operation.

    • Mark user as compromised - to add the user to the Risky users report in Azure AD > Security.

    Important

    Users that are involved in malicious or suspicious interactions are represented by a specific identity node, and dynamic dotted lines showing what other assets in your environment they may have compromised.

    xdrCompromisedUser.png
  8. To continue with your investigation, navigate to the Alerts window, to see every event correlated as part of the incident in detail.

Extended Incident Overview

The Overview page offers a synopsis of the extended incident you are investigating, displaying information about severity of the incident, and key security events that have occurred in your environment, as well affected organization resources.

149661_1.png

The data available on the investigated incident is grouped in the following categories:

The Summary outlines what happened in the incident, showing the Root cause analysis of the incident, as well as Initial Access, alerts triggered by ATT&CK tactics and techniques, and resources impacted by the incident.

XDRSummary.png

The Organization Impact displays all the resources involved in the incident, including affected servers and endpoints, databases, compromising emails, and more.

XDROrganizationImpact.png

This section displays all the MITRE ATT&CK Tactics and Techniques used in the current attack.

XDRAttackTactics.png

The Highlights display the kill chain stages within the investigated incident that have the highest impact on your organization.

XDRHighlights.png

Click the View in Graph button to see the all the security events grouped by kill chain in the Activity panel.

The Response area provides specific you can take to mitigate threats within an extended incident to quickly minimize the potential damage done to your environment.

XDRResponseWidget.png
  • Consult the Actions needed tab to see what actions you need to take to eliminate or minimize active threats.

  • Consult the Actions executed tab to see what actions have already been taken to eliminate or minimize threats.

Select View Details to navigate to the Response tab where you can perform all the needed actions, see executed ones and change their status accordingly.

Extended Incident Graph

The Graph displays a dynamic graphic representation of the extended incident under investigation, providing a detailed activity timeline with the sequence of correlated events caused by external agents, that have occurred or are still active in your environment, on multiple endpoints and network devices.

89939__1_.png

The incident graph section is grouped into two major areas:

1. Activity Panel

It includes all the alerts detected and correlated in the extended incident you are investigating.

extendedActivityTimeline.png
  • From the drop-down menu you can group the alerts by time, or by their place in the kill chain.

  • To view the evolution of the attack, group the alerts by time, and go through each one.

  • The graph animation will show you how the attack has unfolded in your environment, performing lateral movement to jump from one entity to another, exfiltrating data, etc.

  • Upon clicking, each alert is expanded in the timeline, displaying its name, a description of what has occurred, as well as info like the severity of the alert, the sensor that made the detection, timestamp, place in the kill chain, affected endpoints, IP.

    activityAlertExpanded.png
    • If the same alert has been detected on multiple endpoints, you can further investigate them by expanding a side panel that displays a list of them.

    • If the alert is also part of an endpoint incident, you can further investigate it by opening it in a new browser tab.

    • If you want to view additional information about this alert, click View more details to expand its details panel.

2. Graph Panel
89939_2.png

The graph cotains the these elements:

The Activity Panel

It includes all the alerts detected and correlated in the extended incident you are investigating.

extendedActivityTimeline.png
  • From the drop-down menu you can group the alerts by time, or by their place in the kill chain.

  • To view the evolution of the attack, group the alerts by time, and go through each one.

  • The graph animation will show you how the attack has unfolded in your environment, performing lateral movement to jump from one entity to another, exfiltrating data, etc.

  • Upon clicking, each alert is expanded in the timeline, displaying its name, a description of what has occurred, as well as info like the severity of the alert, the sensor that made the detection, timestamp, place in the kill chain, affected endpoints, IP.

    activityAlertExpanded.png
    • If the same alert has been detected on multiple endpoints, you can further investigate them by expanding a side panel that displays a list of them.

    • If the alert is also part of an endpoint incident, you can further investigate it by opening it in a new browser tab.

    • If you want to view additional information about this alert, click View more details to expand its details panel.

4. Legend

The Legend displays the types of elements correlated in the extended incident you are analyzing. You can search names or file extensions of incident components in the search field and the results will be displayed in the side panel.

extendedLegend.png
Navigator

The Navigator enables you to quickly move through the incident graph and explore all displayed elements by using the mini-map and the different levels of visualization.

Click and hold the dragIcon.png Drag icon to position the floating Navigator panel anywhere inside the incident graph.

The Navigator is collapsed by default. When expanding it, the menu will display the miniaturized version of the entire incident map, and action buttons to adjust the level of visualization.

extendedNavigator.png
Extended Incident Alerts

Use the Alerts page to view how the sequence of events unfolded into triggering the currently investigated incident. This window displays the correlated system events and alerts detected by GravityZone technologies such as EDR, Network Attack Defense, Anomaly Detection, Advanced Anti-Exploit, Windows Antimalware Scan Interface (AMSI).

Every complex event has a detailed description explaining what was detected and what might happen if the artifact is used for malicious purposes, in accordance with the latest MITRE techniques and tactics.

Every alert is described in detail, including the used ATT&CK technique, its place in the kill chain, and how it affects your organization.

extendedAlertsTab.png

You can filter these alerts by using the following options:

  • Use the All sensors drop-down menu to enable alerts from all sensors, or just one of the sensors.

  • Use the All Kill Chain Phases drop-down menu to enable alerts that are part of a certain phase in the kill chain, from all kills chain phases.

  • Use the Search field to search alerts by name or file extension.

Extended Incident Response

The Response page is where you can take immediate actions to eliminate or minimize threats discovered in your environment, displayed in the extended incident you are investigating.

XDRResponseTabOverview.png

All actions are available in a dynamic grid formation with multiple filtering and sorting options, such as filtering by action type, action status, date and time of execution, and more.

The Response page provides default smart views that you can use to access actions that need immediate attention, actions that have been executed already, or actions that have been dismissed.

  1. Select the Actions needed view so you can execute urgent actions to protect your environment.

    XDRActionNeeded.png

    In this view, all the actions in the grid have the status set to Action needed.

  2. Execute each task individually, or select all of them from the grid for bulk execution.

    1. To execute a task individually, you can select it from the grid and click the Execute button, or access its menu and click Execute.

    2. To execute bulk actions, select multiple or all actions from the grid and click Execute.

    Upon executing an action, its status goes though several stages: Action needed > Pending > In progress.

    • If the action can be completed by the system, its status changes to Successful, and the executed action is moved and available to access in the Actions executed view.

    • If the action cannot be completed by the system, its status changes to Failed and the action stays in the Actions needed view until you execute it successfully.

  3. If you don't need to execute an action, manage it from the Manage menu, or from the action's card menu.

    XDRManageActions.png
    • Use the Mark as done option for actions that are no longer needed because they may have been completed using a different method. These actions are moved to the Actions executed view.

    • Use the Dismiss option to remove useless actions. These actions are moved to the Actions dismissed view.

    You can restore any dismissed or marked as done action to its previous status.

Important

Actions with the External action needed status cannot be automatically executed from the Response page; you have to execute them manually. Afterwards, you can mark it as done or dismiss it, depending on how you choose to act.

Response actions

The actions you can take in Response page > Action needed view to minimize or eliminate threats in your environment are grouped in the following categories:

  • Isolate host - isolates an endpoint in your environment to contain the spreading of potentially malicious activities, such as Lateral movement, to other workstations. When an endpoint is isolated, it can only communicate with GravityZone.

  • Block user - locks the account of a user. This action is specific for every type of user involved in an incident, from multiple sources, such as Microsoft O65, Active Directory, or Azure AD.

  • Force credentials reset - prompts a specific user to change the account password at the next login.

  • Mark user as compromised - adds the user to the Risky users report in Azure AD > Security.

  • Delete email - delete suspicious emails to prevent the spreading and execution of malicious payloads in your organization.

  • Manage asset - recommends the installation of a security solution on an unmanaged asset within in your organization.

Tip

To harden the security posture of your company you can reduce the surface of potential attacks by ensuring proper system configuration. Learn more about hardening measures you can take in Security Risks. Additional info is also available in GravityZone Indicators of Risk.

Status Bar

The status bar provides security event tags that can help you detect key information about the extended incident you are analyzing.

xdr_bar.png
  1. Incident ID - the id number of the incident under investigation.

  2. Status - the status of the incident.

  3. Assignee - the user that the incident is assigned to.

  4. Priority - the priority of each incident.

  5. Notes - this button provides a list of analyst notes.

  6. History - this button provides the history of the incident.

Tip

Clicking the Back button takes you back to the Incidents page.

Notes Clipboard

The Notes clipboard provides an easy way to add notes to incidents for tracking changes and incident ownership.

Displaying notes

To display a list of available notes click the Notes button on the right side of the Status bar:

206559_1.png

Note

Alongside each note, the user name of it's creator will be displayed. If the user belongs to a partner company, the name Partner will be displayed instead.

Adding a note

To add a note, follow the steps below:

  1. Click the Add note button on the lower rights side of the clipboard.

  2. Fill in the note information.

    206559_2.png

    Note

    Each note can contain up to of 2,048 characters.

  3. Select Save.

    Note

    In case of bulk actions, a single note will be added in bulk for all incidents.

Editing a note

To edit a note, follow the steps below:

  1. Select the Menu button on the right side of the note you wish to edit.

    206559_3.png
  2. Select Edit.

  3. Make the necessary modifications:

    206559_4.png

    Note

    Each note can contain up to of 2,048 characters.

  4. Select Save.

Note

If you wish to cancel editing the note, click Cancel, then select Discard.

Deleting a note

To delete a note, follow the steps below:

  1. Select the Menu button on the right side of the note you wish to delete.

    206559_3.png
  2. Select Delete.

    Note

    This option is only available for your own notes.

  3. Select Delete again.

History Clipboard

The History panel provides an easy way to track the history of an incident. The following events are tracked:

  • Status changes

  • Assigning or reassigning an incident

  • Setting or changing an incident's priority

  • Adding, editing, or deleting an incident note

  • Creating an incident

  • Updating an incident

The list is displayed in chronological order from newest at the bottom to oldest at the top:

xdr_history.png

Each event will contain the following information:

  • The type of the event

  • A description of the event

  • The date and time on which the event occurred

  • The username of the person who performed the action

    Note

    If the user belongs to a partner company, the name Partner will be displayed instead.

Investigating an Endpoint Incident

  1. In the Endpoint incidents tab, identify the security event you want to analyze from the incidents grid.

    • Use the View Graph button in the incident card to open the Incident graph in a new page, or

    • Select a security event card to open its details panel for a quick look at the most important attack indicators of that incident.

    After opening the incident graph you can see sequence of events that led to triggering the incident, and provides options to take remediation actions.

    By default, the graph highlights the Critical path of the incident, and the event that triggered the incident.

  2. Start analyzing the information displayed in the details panel of the trigger node, to find what is the root cause of the incident.

    triggerNodePanel.png

    In the panel you can find valuable info like the alerts detected on the trigger node, the date and time of the event, and command lines that were executed by the attacker.

  3. If the situation allows it, select the Add to Sandbox button to detonate suspicious or malicious elements and see the Sandbox report to evaluate the damage they may have cause to your environment.

    Tip

    To make sure you didn't miss anything investigate the incident nodes on the same level as the trigger node.

  4. You can continue to analyze the other elements constituting the critical path until you get a clear picture of what caused the incident.

    • If the threat is real take appropriate actions to mitigate it. Learn more about available actions in Node details.

    • If the threat is not real you can go to the Status menu at the top of the graph and set the status of the incident to False positive, and start investigating the next incident in the list.

      Note

      You can use the Notes clipboard to leave insights about the incident, to provide context in case other users reopen the incident.

  5. When further investigation is needed, navigate to the Events tab to see all the raw events and alerts that were spawned as part of the incident under investigation.

Graph

The Graph provides an interactive graphical representation of the investigated incident and its context, highlighting the sequence of elements directly involved in triggering it, known as the Critical path of the incident, as well as all the other elements involved, faded out by default.

The Graph includes filtering options that allow the customization of the incident graphic to improve visualization, and details panels with more information about each element, to facilitate the investigation of what happened in your environment.

Critical path

The Critical Path is the sequence of linked security events that have led up to setting off an alert, starting from the point of entry in the network down to the event node that triggered the incident.

The critical path of the incident is highlighted by default in the graph, along with all consisting event nodes. The trigger node easily stands out from the rest of the elements in the graph, and its info panel is displayed by default alongside the incident graph, providing detailed trigger node information.

Figure 1. 
criticalPath.png
  1. Trigger Node

  2. Node Details panel with collapsible information sections

  3. Minimized nodes, indirectly involved in the incident



Tip

Selecting any other element than the trigger node will no longer highlight the critical path, and show the path to origin instead, from the selected node to the start of the incident.

Security event nodes

This is what you need to know about security event nodes:

  • Each node represents a specific element involved in the investigated incident.

  • All nodes that make the critical path are shown by default in detail when you open the incident, while the other elements are faded out, to avoid cluttering the view.

    • Hovering over a node that is not part of the critical path will highlight it and show the path to the point of origin, without breaking the Critical Path.

    mouseOverNode.png
  • Three or more same action type event nodes spawning from a parent node are grouped into an expandable cluster-node.

    • Only nodes without child elements will be hidden from the incident graph when the cluster-node is collapsed.

    • Nodes where suspicious activity has been detected will not be added to the cluster-node.

  • Clicking a node will display the following details:

    • It will highlight in blue the path to the endpoint node along with all the other involved elements.

    • A side panel with expandable sections that provide detailed information of the selected node, alerts in case detections are triggered, available actions and recommendations.

  • Nodes are linked by arrow-lines indicating the course of actions that occurred on the endpoint during the incident. Each line is labeled with the action name and its chronological number.

The following elements of an incident can be represented as nodes:

Node type

Description

Endpoint

Displays endpoint details and patch management status.

Domain

Shows information about the domain host and its endpoints.

Process

Shows details about the process role in the current incident, file information, process executions details, network presence and further investigation options.

File

Shows details about the file role in the current incident, file information, network presence and further investigation options.

Registry

Displays Registry information and the parent process details.

Note

Learn more about node details here.

Filters

The Filters menu provides you with enhanced filtering capabilities, allowing full manipulation of the incident graphic, by highlighting the elements based either on their type or relevance, or by hiding them to make the incident more compact and easier to analyze.

Click an hold the dragIcon.png Drag icon to position the floating filters panel anywhere inside the incident graph.

filtersCritPath.png

When selecting an element-type filter:

  • The incident graphic zooms out and highlights all the elements of the selected type, while the elements of different type are faded out.

  • It instantly opens a panel with the list of all the highlighted elements.

elementTypeFilter.png

Note

Selecting an element from the displayed list will highlight it in the incident graphic, and open a details panel with information related to that element.

Only one filter can be applied at a time.

Filtering options include:

  • Critical path: It highlights the critical path of the incident of compromise.

  • Endpoint: It highlights the endpoints affected by the incident.

  • Process: It highlights all process-type nodes involved in the incident.

  • File: It highlights file-type nodes involved in the incident.

  • Domain: It highlights all domain-type nodes involved in the incident.

  • Registry: It highlights all registry-type nodes involved in the incident.

  • Element relevance: You can also filter elements by their importance inside the incident.

    • Grey-Node.png Neutral node: Elements with no direct impact in the security incident.

    • Teal-Node.png Important node: Elements with relevant role in the security incident.

    • Green-Node.png Origin node: Ground zero of the incident inside the network.

    • Orange-Node.png Suspicious node: Elements with suspicious behavior, directly involved in the security incident.

    • Red-Node.png Malicious node: Elements that caused damage to your network.

You can also hide certain elements from the incident graph by clicking the Show/Hide button displayed when positioning the mouse over filters of the type: File, Domain, and Registry.

hideNodes.png

Hiding an element type redraws the incident graph by removing all corresponding elements, even if they are zoomed out, excepting the trigger node and nodes with child elements.

Navigator

The Navigator enables you to quickly move through the incident graph and explore all displayed elements by using the mini-map and the different levels of visualization. The Navigator is collapsed by default. When expanding it, the menu will display the miniaturized version of the entire incident map, and action buttons to adjust the level of visualization.

Click and hold the dragIcon.png Drag icon to position the floating navigator panel anywhere inside the incident graph.

edr_navigator.png

The Navigator makes it easy to adjust how you visualize the incident graph, through the use of the overviewLevel.png Fewer details and zoomedLevel.png More details actions.

Note

In situations when the incident the graph expands beyond screen limits, hold and drag the map selector to the desired incident map area.

Node details

The Node details panel includes expandable sections with detailed information of the selected node, including preventive or remediation actions you can take to mitigate the incident, details on the type of detection and alerts detected on the node, network presence, process execution details, additional recommendations to manage the security event, or actions to further investigate the element.

To view this information and take actions within the panel, select a node within the security event map.

NodeDetailsPanel.png
  1. You can collapse the Node Details panel by clicking the Collapse button.

  2. You can easily navigate the information displayed in the Node Details panel by clicking the icons pf each of the four major sections:

    • ALERTS. his section displays one or multiple detections triggered on the selected node, including details about the Bitdefender technology that included the element in the incident, the reason that triggered the detection, detection name, and the date when it has been detected.

    • INVESTIGATION. This section displays date stamps for the initial detection and all the endpoints where this element was spotted.

    • REMEDIATION. This section displays actions taken automatically by GravityZone, actions you can take immediately to mitigate the threat, as well as detailed recommendations for each alert detected on the selected node to assist you in mitigating the incident and increase the security level of your environment.

    • INFO. This section displays general information about each file, and specific information depending on the type of node selected.

  3. You can drag the Node Details panel towards the center of the screen to easily go through its contents.

    panelExpanded.png

The Endpoint details panel includes two sections:

  • REMEDIATION. Displays info about the actions taken automatically by GravityZone to mitigate threats and actions you can take.

    Note

    The range of actions you can take may vary depending on the license included in your current plan.

    EDR-Endpoint-Details-EAP.png
    • Isolate Host - Use this remediation solution to isolate the endpoint from the network.

    • Install patches - Use this action to install a missing security patch on the target endpoint. This option is visible only with the Patch Management module, an add-on available with a separate license key. Refer to Patch Install for more information.

    • Remote Shell - Use this action to start a Remote shell session on the endpoint involved in the current incident and run investigative shell commands directly on its operating system, to mitigate the threat instantly or collect forensic data for further investigation.

    • Collect Investigation Package - Use this action to start collecting forensic data from the endpoint.

  • DEVICE INFO. Displays general information about the affected endpoint, such as endpoint name, IP address, operating system, pertaining group, state, active policies, and a link that opens a new window where full endpoint details are displayed.

    EndpointPanelDevInfo.png

    It also provides with information such as the number of installed patches, failed patches, or any missing security and non-security patches. In addition, you can generate an endpoint patch status report. This section is provided on demand for the target endpoint.

    You can take the following actions within the panel:

    • View patch information for target endpoint. To view patch details, click the Refresh button.

    • View patch status report for target endpoint. To generate the report, click the View endpoint patch status report button.

The details panel for process nodes includes four sections:

  • ALERTS. Displays one or multiple detections triggered on the selected node, including details about the Bitdefender technology that included this entity in the incident, the reason that triggered the detection, detection name, and the date when it has been detected. The description for each alert follows the latest MITRE standards.

    ProcessPanelAlerts.png
  • INVESTIGATION. Displays the date stamp for the initial detection and all the endpoints where this threat was spotted.

    ProcessPanelInvestigation.png
  • REMEDIATION. Displays info about the actions taken automatically by GravityZone to mitigate threats and actions you can take.

    Note

    The range of actions you can take may vary depending on the license included in your current plan.

    ProcessPanelRemediation.png
    • Kill - Use this action to stop a process execution. This action creates a kill process task visible in the process execution bar. System32 and Bitdefender processes are excluded from this action.

    • Quarantine file - Use this action to store the item in question and prevent it from executing its payload. This action requires the Firewall module to be installed on the target endpoint.

    • Add file to Blocklist - Manage blocked items in the Blocklist page.

    • Add file as exception - Use this option to exclude legitimate activity on a specific policy. When you choose this action, a configuration window prompts you to select the policy where you want to add an exception. Manage exclusion under Policies > Antimalware > Settings.

    • This section also provides detailed recommendations for each alert detected on the selected node to assist you in mitigating the incident and increase the security level of your environment.

  • PROCESS INFO. Displays details about the selected process node, including process name, executed command line, user, time of execution, file origin and path, hash value, or digital signature.

    ProcessPanelProcInfo.png

    In this section you can copy the item's hash value to clipboard by clicking the available hashing algorithms within the Hash field, and add it to Blocklist.

    Note

    For more information, refer to Blocklisting files.

The File node details panel includes four sections:

  • ALERTS. Displays one or multiple detections triggered on the selected node, including details about the Bitdefender technology that included this entity in the incident, the reason that triggered the detection, detection name, and the date when it has been detected. The description for each alert follows the latest MITRE standards.

    FilePanelAlerts.png
  • INVESTIGATION. Displays date stamps for the initial detection and all the endpoints where this element was spotted.

    FilePanelInvestigation.png
  • REMEDIATION. Displays info about the actions taken automatically by GravityZone to mitigate threats and actions you can take.

    Note

    The range of actions you can take may vary depending on the license included in your current plan.

    FilePanelRemediation.png
    • Quarantine file - Use this action to store the item in question and prevent it from executing its payload. This action requires the Firewall module to be installed on the target endpoint.

    • Add file to Blocklist - Manage blocked items in the Blocklist page.

    • Add file as exception - Use this option to exclude legitimate activity on a specific policy. When you choose this action, a configuration window prompts you to select the policy where you want to add an exception. Manage exclusion under Policies > Antimalware > Settings.

    This section also provides detailed recommendations for each alert detected on the selected node to assist you in mitigating the incident and increase the security level of your environment.

  • FILE INFO. Displays details about the selected file node, including file origin and path, hash value, or digital signature.

    FilePanelFileInfo.png

    In this section you can copy the item's hash value to clipboard by clicking the available hashing algorithms within the Hash field, and add it to Blocklist.

    Note

    For more information, refer to Blocklisting files.

The Registry node details panel includes three sections:

  • ALERTS. Displays the severity of the registry manipulation as marked by the Bitdefender technology that included this entity in the incident, the reason that triggered the detection, the date when it has been detected, and registry type.

    RegistryPanelAlerts.png
  • REMEDIATION. Displays info about the actions taken automatically by GravityZone.

    RegistryPanelRemediation.png

    Note

    The REMEDIATION section for registry nodes does not provide any user action option.

  • REGISTRY INFO. Displays details about the selected registry node, including registry key, value and data.

    RegistryPanelRegistryInfo.png

    You can click the registry key and value to copy it to clipboard for further analysis purposes.

Search bar

The Search bar has two functionalities:

Search-bar.png
  • Search nodes. Click magnifier.PNG and the search bar expands, allowing you to enter information and search the graph for particular nodes.

  • Incident trigger. A direct link to the node that triggered the alert.

Events

Use the Events tab to view how the sequence of events unfolded into triggering the currently investigated incident. This window displays the correlated system events and alerts detected by GravityZone technologies such as EDR, Network Attack Defense, Anomaly Detection, Advanced Anti-Exploit, or Windows Antimalware Scan Interface (AMSI).

Note

The availability of technologies involved in the detection process may differ depending on the the license included in your current plan.

Every event has a detailed description explaining what was detected and what might happen if the artifact is used for malicious purposes, in accordance with the latest MITRE techniques and tactics.

Use the filtering options to display all events, or group them by Att&ck tactics. You can also use the search bar to find events, after predefining their category. The grid is populated with the sorted events.

eventsTab.png

Select any event in the grid to open its side panel and analyze the major attack indicators, such as command line, network details, or other specific information.

EventsSidePanelForEDR.png
Incident Info

This panel contains collapsible sections with details like incident ID, current state, time and date when the incident was created and last updated, number of involved artifacts, trigger name and description, and attack info.

Tip

From this section you can access the extended incident which may include the current endpoint incident.

incidentInfo.png

The panel also includes the alerts detected on the element that triggered the incident.

Remediation

The Remediation panel provides you insightful information about what corrective actions were taken automatically by GravityZone in case of attacks blocked by technologies such as Advanced Threat Control (ATC), HyperDetect, Antimalware, as well as recommended steps you may follow in order to mitigate the incident and to increase the security level of your system.

remediationTab.png
  1. Actions taken automatically by GravityZone.

  2. Recommendations to further mitigate the incident and boost security posture.

Note

The recommended steps correspond to the alerts detected on the node that triggered the investigated incident.

Incident Status Bar

The incident status bar provides security event tags that can help you detect key information about the involved network endpoints.

EDR_status_bar.png
  1. Incident ID - the id number of the incident under investigation and if the incident is either blocked or reported.

  2. Detection timestamp - the date and time the incident was triggered.

  3. Status - the current incident status.

  4. Assignee - the user that the incident is assigned to.

  5. Priority - the priority of each incident.

  6. Access icons and their description:

Notes Clipboard

The Notes clipboard provides an easy way to add notes to incidents for tracking changes and incident ownership.

Displaying notes

To display a list of available notes click the Notes button on the right side of the Status bar:

206559_1.png

Note

Alongside each note, the user name of it's creator will be displayed. If the user belongs to a partner company, the name Partner will be displayed instead.

Adding a note

To add a note, follow the steps below:

  1. Click the Add note button on the lower rights side of the clipboard.

  2. Fill in the note information.

    206559_2.png

    Note

    Each note can contain up to of 2,048 characters.

  3. Select Save.

    Note

    In case of bulk actions, a single note will be added in bulk for all incidents.

Editing a note

To edit a note, follow the steps below:

  1. Select the Menu button on the right side of the note you wish to edit.

    206559_3.png
  2. Select Edit.

  3. Make the necessary modifications:

    206559_4.png

    Note

    Each note can contain up to of 2,048 characters.

  4. Select Save.

Note

If you wish to cancel editing the note, click Cancel, then select Discard.

Deleting a note

To delete a note, follow the steps below:

  1. Select the Menu button on the right side of the note you wish to delete.

    206559_3.png
  2. Select Delete.

    Note

    This option is only available for your own notes.

  3. Select Delete again.

History Clipboard

The History panel provides an easy way to track the history of an incident. The following events are tracked:

  • Status changes

  • Assigning or reassigning an incident

  • Setting or changing an incident's priority

  • Adding, editing, or deleting an incident note

  • Creating an incident

  • Updating an incident

The list is displayed in chronological order from newest at the bottom to oldest at the top:

xdr_history.png

Each event will contain the following information:

  • The type of the event

  • A description of the event

  • The date and time on which the event occurred

  • The username of the person who performed the action

    Note

    If the user belongs to a partner company, the name Partner will be displayed instead.

Remote Shell

GravityZone provides interactive shell functionality that enables you to connect remotely to an endpoint involved in an incident under investigation and open a remote shell session to run shell commands directly on the endpoint's operating system, to either mitigate threats instantly or collect forensic data for further analysis.

remoteConnection.png

This feature is compatible with the following operating systems:

  • Windows

  • Linux

  • MacOS

Important

This feature requires a separate license key for activation.

Note

If using SAML (Security Assertion Markup Language) authentication, Remote Shell capabilities and features are not available.

Remote Shell session prerequisites

To start a remote shell session you have to meet the following criteria:

  • The target endpoint must be powered-on and online.

  • The GravityZone user account must have Manage Networks and Advanced investigation rights enabled. For more details, refer to User rights.

  • Two-factor authentication (2FA) must be enabled prior to initiating the remote shell session.

    Note

    If 2FA is not set up, refer to Manage your account for more details on how to enforce it.

  • The version of the Bitdefender agent installed on the endpoint must support the Remote Shell module.

    • Windows (version 7.3.2.44 and newer)

    • Linux (version 7.0.3.1803 and newer)

    • macOS (version 7.2.6.200017 and newer)

  • For security reasons, the account of the user that attempts to start a remote shell session must belong to a company that meets the following criteria:

    • Company type: Customer

    • Company management: Not managed by an up-the-chain third party company. If the company is managed by above, the Remote Shell connection with endpoint option will not be available in the Policy > Communication section.

  • Remote Shell connection with endpoint has to be enabled from Policy > Communication. For more details, refer to Communication.

    Note

    Enabling the Remote Shell module on the endpoints in your environment may take a couple of minutes.

  • Required licenses:

    • The company must have an active Remote Shell license.

    • The user must have a GravityZone Business Security Enterprise license.

Starting a Remote Shell session

To open a remote shell session on an endpoint follow these steps:

  1. In the Incidents page, select the incident you want to investigate and access the Graph view.

  2. In the incident graph, select the endpoint node to expand the Endpoint details panel and click the Remote Shell button.

    remoteShellButton.png

    Note

    If the button is inactive, a tooltip will be displayed, with the reason why the action is unavailable. For more details see Remote Shell session prerequisites.

    Clicking Remote Shell button will open the Remote Shell Connection page in a new browser tab.

  3. In the Remote Shell Connection page you need to enter the 2FA code generated from your authenticator app, to activate the Start session button.

    RemoteShellConnection2faReq.png
  4. Once active, click the Start session button to start the remote shell session on the target endpoint.

    remoteConnection.png

    Once the connection is established, you will be logged in as user with "root" privileges, capable to perform a wide array of forensic actions and methods to investigate suspicious behavior or mitigate threats.

    remoteShellActions.png

    Note

    All session logs are recorded and the entire output will be available for download at the end of the session.

  5. When done investigating, click the End session button to close the remote connection, or close the session's browser tab.

    remoteSessionEnded.png
  6. After ending the current session you can click the Download audit log button to get the logs of the remote shell session you just ended, or you can start a new remote session.

    1. When you click Download audit log, GravityZone will start compiling a zip file with all the session logs. This action may take a couple of minutes to complete, depending on the size of the archive. All session details are also available in the User activity log.

      Note

      The session's logs are saved by default in a raw format. For easier reading, unzip the file and use one of these tools:

      • For logs from Windows OS endpoints, run this command in PowerShell:

        Get-Content <filePath> -Wait (use the file path and name of the log file)

        Example: Get-Content "C:\Users\Documents\sessionLogs.txt" -Wait

      • For logs from Linux and macOS endpoints, run this command in the terminal:

        less <filePath> (use the file path and name of the log file)

        Example: less /home/user/sessionLogs.txt

    2. When you click Start a new session you will be required again to enter an authentication code before starting a new session.

Note

If the Remote Shell session is unexpectedly terminated, see XDR Remote Shell Troubleshooting for possible reasons.

XDR Remote Shell Troubleshooting

Your Remote Shell session may drop unintentionally, due to various reasons. In most cases restarting the session is the easiest and quickest way to fix the issue. If this doesn't work you can always contact our Customer Support team, who will gladly assist you in all matters concerning the Bitdefender GravityZoneplatform.

Here is a list of error messages that the remote shell might display, possible reasons that may have caused it, and measure to mitigate them:

Forensic Data Gathering

Collecting extra information from endpoints affected by an incident is a labor intensive manual task which often disrupts the investigations efforts of a SOC team and generates delay in mitigating and containing threats. The Collect Investigation Package functionality speeds up the process of collecting forensic evidence from your environment by bypassing the need to directly interact with the endpoint involved in an incident.

InvPackageEPDetailsFullOv.png

This feature is compatible with the following operating systems:

  • Windows

Investigation package prerequisites

To start a the collection of forensic data from an endpoint you have to meet the following criteria:

  • The target endpoint must be powered-on, online, and must have the EDR Sensor module deployed.

  • Your company must have the EDR add-on enabled.

  • The version of the Bitdefender agent installed on the endpoint must support the Investigation Package feature:

    • Windows (version 7.4 or newer)

  • The GravityZone user account must have the Manage Networks right enabled. For more details, refer to User rights.

  • Two-factor authentication (2FA) must be enabled prior to initiating the data collection process or downloading already collected packages..

    Note

    If 2FA is not set up, refer to Manage your account for more details on how to enforce it.

Collecting an investigation package

You can collect an investigation package using different approaches, based on your tasks, either by selecting an endpoint that is part of a XDR incident, or by selecting a managed endpoint from your Network inventory.

  1. In the Incidents page, select from the grid the extended or endpoint incident you want to investigate further and open the Graph view.

  2. In the Graph, select the node of the endpoint involved in the incident and click Collect Investigation Package to start compiling an archive with forensic data.

    InvPckgCollectEPSidePanel.png

    Note

    If the button is inactive, a tooltip will be displayed, with the reason why the action is unavailable. For more details see Investigation package prerequisites

    A toast message will inform you that the data collection request was successfully created.

  3. Click the View available investigation files link to access the full endpoint details page and track its progress.

  4. You can view the current collection process (the status of the activity in progress is set to Pending), along with other data gathering activities performed in the past 24 hours.

    InvFilesActivityProgress.png

    Note

    Collection activities that were canceled by user or could not be completed for various reasons have the status set to Failed .

    When the data collection process has completed successfully, the action status changes to Finished, and the archive with collected forensic artefacts is available for download.

  5. Click Download file in the Actions column to download the archive locally and analyze the collected data.

Note

To find out more details about the type of data collected as part of an investigation package see Investigation Package data.

  1. In the Network page, select the managed endpoint you want to collect forensic data from and open its details page.

  2. Go to the Investigation tab, and click Collect Investigation Package to start compiling an archive with forensic data.

    InvPackageEPDetailsFullCollect.png

    Note

    If the button is inactive, a tooltip will be displayed, with the reason why the action is unavailable. For more details see Investigation package prerequisites

    A toast message will inform you that the data collection request was successfully created.

    You can track its progress in the Investigation Files Activity grid.

  3. You can view the current collection process (the status of the activity in progress is set to Pending), along with other data gathering activities performed in the past 24 hours.

    InvFilesActivityProgress.png

    Note

    Collection activities that were canceled by user or could not be completed for various reasons have the status set to Failed .

    When the data collection process has completed successfully, the action status changes to Finished, and the archive with collected forensic artefacts is available for download.

  4. Click Download file in the Actions column to download the archive locally and analyze the collected data.

Note

To find out more details about the type of data collected as part of an investigation package see Investigation Package data.

Blocklisting files

In the Blocklist page you can view and manage items by their hash values. View activity records in User activity log.

11_blocklist.PNG

In this data table, you can view the following details for each item:

  • File Type:

    • MD5

    • SHA256

  • File Hash value

  • Source Type:

    • incident

    • import

    • manual

  • Source Info

  • File Name

  • Company

Adding Hash Values to the Blocklist
12_blocklist_add_hashes.PNG
  1. Copy the hash value from File Info.

  2. Choose from MD5 or SHA256 and paste the value in the box below.

    Add a note if required.

  3. Click Save.

Important

The Incidents Sensor will block any .exe file whose hash value has been added to Blocklist from starting a process.

Importing Hash Records to the Blocklist
13_blocklist_import_csv.PNG
  1. Click the Import CSV button.

  2. Browse for and select your CSV file.

  3. Click Save.

You may also import local CSV files from your device into the Blocklist page, but first you must make sure your CSV is valid.

To create a valid CSV file for import you must populate the first three columns with the following data:

  1. The first column of the CSV must contain the Hash type: either md5 or sha256.

  2. The second column must contain corresponding hexadecimal hash values.

  3. The third column may contain optional string information related to the Source Info column in the Blocklist page.

Note

Information corresponding to the other columns in the Blocklist page will be filled in automatically when importing the CSV file.

Searching security events

The Search page allows you to browse for past security events by using complex search criteria.

XEDR-Search-Overview-2.png

In the search bar you can build queries using the available suggested fields and the rules available in the The XDR query language.Running Queries

All the results are displayed in a customizable grid where you can choose to show or hide categories according to your needs, using the filter-columns-edr.png Show / Hide button.

Note

The grid keeps your results until the end of your session, or until you run a new search.

Running queries

To run a query:

  1. Type the query string in the search bar. Suggestions for field names, values and operators appear as you type.

    • For suggestions regarding field names, open the Helper by pressing CTRL + /.

    • For suggestions regarding values, open the Autocomplete by pressing CTRL + Space.

    141085_1.png

    Tip

    For help regarding fields available or syntax, use the Syntax Help. You can also use nested queries to build complex searches.

  2. Set up the time frame using the Date field.

    1. Define the search time frame:

      • To select specific dates, use the Custom option, then select the start and end dates from the calendar.

      • Set an exact time interval by using the From and To tabs above the calendar.

      • Select a recent time interval from the available options: Last 24 hours , Last 7 days , Last 30 days .

      Important

      The default data retention interval for events is 7 days. If you want to increase your capacity, you need to contact your sales representative to upgrade your solution with a 30-,90-, or 180-days Data Retention add-on.

    2. Select Confirm .

  3. Select Run query.

Important

Control Center can display up to 10,000 events.

If the query results contain more than 10,000 events, a message will pop up, in which case you need to refine your search.

Refining your search

If the initial query returned too many results, you can optimize your search criteria. You can manually add information in the search query or you can use the Details panel. To refine your search using the panel, follow these steps:

  1. Select any event in the Grid to open the Details panel.

  2. Click the search-icon.png search icon at the end of the field you want to add to the query.

    Details-panel-search-plus-json.png

    Note

    The JSON tab is displayed for EDR and XDRalerts. You can easily identify these alerts by using the following key-value pairs:

    • other.event_type: alert for EDR alerts

    • other.event_type: xalert for XDR alerts

    The JSON tab contains further information related to that specific alert. You cannot use the key-value pairs in this tab to further refine your search, but you can copy all data by using the Copy all to clipboard button. For a list of all JSON fields, refer to JSON fields.

  3. Select the necessary operator.

    The field-value pair will be added to your search query.

  4. Select Run query.

Smart views

The Search feature offers the ability to save queries for later use.

You can also edit or delete previously saved queries.

Saving queries
  1. Run the desired query.

  2. Click the Save As button in the upper-right corner of the page.

    The following dialog box is displayed:

    XDR-save-query.png
  3. Name your query and click Save.

    XDR--smart-views.png

    Your query will be displayed in the Smart views panel, on the left side of the search grid.

Editing saved queries
  1. Select the query from the Smart views list.

    The query will be displayed in the search bar.

  2. Make the necessary changes to your query.

  3. Click the Save button in the upper-right corner of the page.

Deleting saved queries
  1. In the Smart views list, click the ellipses.PNG vertical ellipses next to the query you want to delete.

    XDR-delete-query.png
  2. Select Delete and confirm your choice.

The XDR query language

The query language provides the vocabulary (fields and operators) and the syntax to help you build queries.

To access information about syntax from inside the platform click the 141129_1.PNG icon inside the search bar.

EDR Custom Rules

The Custom Rules page provides you the framework to create and manage custom rules to include or exclude specific behaviors from triggering incidents.

This EDR feature includes two major categories:

Detections

The Detections tab provides you the framework to create and manage custom detection rules, to mark specific behavior from your environment as a valid detection, and generate corresponding incidents in The Incidents Page page.

edrDetectionsOverview.png
  1. Click the Create New button to create a new custom detection rule. See Create Custom Detection Rules for more details.

  2. Use these action buttons to customize your grid:

  3. Select the global check box or the individual boxes of rules to select them, and click Delete to remove them from the list.

  4. Click a rule in the list to expand its details panel, view the rule details and update or delete it if needed. See Detection Rule Details Panel for more details.

Create Custom Detection Rules
  1. To create a custom detection rule, click the Create New button.

    edrCreateNewRule.png

    It will take you to the Create Detection Rule window, in the Rule definition section, where you can start editing the rule.

  2. Select what type of element you want to include in the detection rule.

    edrIncludeElementType.png

    You can choose from:

    • Process

    • File

    • Connection

    • Registry

  3. Each type of element has specific matching criteria you can choose from the drop-down menu:

    edrIncludeComposeCriteria.png
    1. Select one of the available criteria options.

    2. Select the type of relationship between the matching criteria and its value:

      • Is - will include all incidents with elements that match the exact value entered in the value field.

      • Contains - will include all incidents with elements that contain the value entered in the value field (for example wildcards, file extensions, etc.).

        Important

        Using wildcards when creating a detection rule raises the risk of making it too generic, thus increasing the possibility of overflowing your work backlog with with false-positive incidents.

      • Is one of - will include all incidents with elements matching one of the values entered in the value field (The OR operator is applied between the entered values).

    3. Enter the specific value for each criteria.

      Note

      When entering multiple values for a criterion (when using the Is one of condition), you must press Enter after each value, to complete the action.

  4. Use the Add Criteria to add new criteria to the rule.

    Note

    The rule will trigger incidents that include every defined criteria (The AND operator is applied between multiple criteria added).

  5. After all the criteria have been defined, click Next step.

    It will take you to the Rule settings section, where you have to fill out the rule details.

    edrDetectionRuleSettings.png
  6. Name the new rule in the Rule Name field. This field is mandatory.

  7. Add a brief description of the rule in the Rule Details text area.

  8. Add tags specific to this rule in the Tag field, for easier rule grouping and management.

  9. Set the rule status to Active or Inactive from the Status drop-down menu.

  10. Set severity of the alerts triggered by this rule to Low / Medium / High, from the drop-down menu.

  11. Click Create rule to complete the creation of the custom exclusion rule.

    The new rule is available in the Detections tab.

Detection Rule Details Panel

The Rule Details panel includes detailed information of the selected rule, including date of creation and who created it, the date when it was last updated, unique ID and status, as well as a link to list of events matching the rule criteria.

It also includes a the description of the rule, associated tags, included matching criteria, and rule outcome.

edrDetectionRulePanel.png
  • Click Edit to go to the Create Detection Rule window, where you can update the rule's definition.

  • Click Delete to remove the detection rule from the list.

Exclusions

The Exclusions tab provides you the framework to create and manage custom exclusion rules, to exclude incidents you find irrelevant for your organization, which otherwise would normally be flagged by XDR in The Incidents Page page.

edrExclusionsOverview.png
  1. Click the Create New button to create a new custom exclusion rule. See Create Custom Exclusion Rules for more details.

    Alternatively, you can always create a rule right from inside the incident graph, by selecting a target node and adding it as exclusion from its side details panel. See the Add as EDR exclusion functionality for more details.

  2. Use these action buttons to customize your grid:

  3. Select the global check box or the individual boxes of rules to select them, and click Delete to remove them from the list.

  4. Click a rule in the list to expand its details panel, view the rule details and update or delete it if needed. See Exclusion Rule Details Panel for more details.

Create Custom Exclusion Rules
  1. To create a custom exclusion rule, click the Create New button from the Exclusions tab.

    edrCreateNewRule.png

    It will take you to the Create Exclusion Rule page, in the Rule definition section, where you can start editing the rule.

  2. Select what type of element you want to include in the exclusion rule.

    edrExcludeElementType.png

    You can choose from:

    • Process

    • File

    • Connection

  3. Each type of element has specific matching criteria you can choose from the drop-down menu:

    edrExcludeComposeCriteria.png
    1. Select one of the available criteria options.

    2. Select the type of relationship between the matching criteria and its value:

      • Is - will exclude all incidents with elements that match the exact value entered in the value field.

      • Contains - will exclude all incidents with elements that contain the value entered in the value field (for example wildcards, file extensions, etc.).

        Important

        Using wildcards when creating an exclusion rule raises the risk of making it too generic, thus increasing the possibility of ignoring real threats and making your company more vulnerable.

      • Is one of - will exclude all incidents with elements matching one of the values entered in the value field (The OR operator is applied between the entered values).

      • Enter the specific value for each criteria.

        Note

        When entering multiple values for a criterion (when using the Is one of condition), you must press Enter after each value, to complete the action.

  4. Use the Add Criteria to add new criteria to the rule.

    Note

    The rule will exclude incidents that include every defined criteria (The AND operator is applied between multiple criteria added).

  5. After all the criteria have been defined, click Next step.

    It will take you to the Rule settings section, where you have to fill out the rule details.

    edrExclusionRuleSettings.png
  6. Name the new rule in the Rule Name field. This field is mandatory.

  7. Add a brief description of the rule in the Rule Details text area.

  8. Add tags specific to this rule in the Tag field, for easier rule grouping and management.

  9. Set the rule status to Active or Inactive from the Status drop-down menu.

  10. Click Create rule to complete the creation of the custom exclusion rule.

    The new rule is available in the Exclusions tab.

Exclusion Rule Details Panel

The Rule Details panel includes detailed information of the selected rule, including date of creation and who created it, the date when it was last updated, unique ID and status, as well as a link to list of events matching the rule criteria.

It also includes a the description of the rule, associated tags, included matching criteria, and rule outcome.

edrExclusionRulePanel.png
  • Click Edit to go to the Create Exclusion Rule window, where you can update the rule's definition.

  • Click Delete to remove the exclusion rule from the list.