Incident Investigation Process

Once an incident is detected, the following information usually displays:

• Incident category
• Trigger name
• IP/user/hostname information
• Severity score
• Other basic information

This information hints in the general direction of where the investigation should be going: internal suspicious activity, malware-related activity, etc.

To investigate an incident:

1. Open the incident page and examine the collected data, specifically:
   
   • User Info – who
   • Dest IP
   • Host Info – what device
   • Dest domain
   • Network – which location
   • Dest Org
   • IOA Summary, Score, Packet Data (hex, ASCII, raw pcap)
   • Source
   • • Information
     • Network/App
     • IP, username, hostname
     • Packets, bytes sent
     • Session ID
     • Client app info (browser, app, etc.)
   • Destination
     • Information
     • Network/App
     • IP, username, hostname
     • Packets, bytes received
     • Server app info
2. If more information is needed to determine if the incident is a false positive, run additional lookups from the Explore Activity section. 
   Note the field names of interest and their values. This data should be enough to judge whether or not the incident is a false positive.
3. Use the search quick reference from the previous section as a sample to run the desired search.