Once an incident is detected, the following information usually displays:
-
Incident category
-
Trigger name
-
IP/user/hostname information
-
Severity score
-
Other basic information
This information hints in the general direction of where the investigation should be going: internal suspicious activity, malware-related activity, etc.
To investigate an incident:
-
Open the incident page and examine the collected data, specifically:
User Info – whoDest IPHost Info – what deviceDest domainNetwork – which locationDest OrgIOA Summary, Score, Packet Data (hex, ASCII, raw pcap)SourceInformationNetwork/AppIP, username, hostnamePackets, bytes sentSession IDClient app info (browser, app, etc.)DestinationInformationNetwork/AppIP, username, hostnamePackets, bytes receivedServer app info -
If more information is needed to determine if the incident is a false positive, run additional lookups from the Explore Activity section.
Note the field names of interest and their values. This data should be enough to judge whether or not the incident is a false positive. -
Use the search quick reference from the previous section as a sample to run the desired search.