Skip to main content
Skip table of contents

Incident Investigation Process

Once an incident is detected, the following information usually displays:

  • Incident category
  • Trigger name
  • IP/user/hostname information
  • Severity score
  • Other basic information

This information hints in the general direction of where the investigation should be going: internal suspicious activity, malware-related activity, etc.

To investigate an incident:

  1. Open the incident page and examine the collected data, specifically:
    • User Info – who
    • Dest IP
    • Host Info – what device
    • Dest domain
    • Network – which location
    • Dest Org
    • IOA Summary, Score, Packet Data (hex, ASCII, raw pcap)
    • Source
      • Information
      • Network/App
      • IP, username, hostname
      • Packets, bytes sent
      • Session ID
      • Client app info (browser, app, etc.)
    • Destination
      • Information
      • Network/App
      • IP, username, hostname
      • Packets, bytes received
      • Server app info
  2. If more information is needed to determine if the incident is a false positive, run additional lookups from the Explore Activity section. 
    Note the field names of interest and their values. This data should be enough to judge whether or not the incident is a false positive.
  3. Use the search quick reference from the previous section as a sample to run the desired search.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.