Show enrichment data for a security incident

You can view enrichment data, such as running processes and services, and network statistics associated with a security incident.

Before you begin

Role required: sn_si.basic

Procedure

  1. Open the security incident for which you want to view enrichment data.
  2. Click the Show Enrichment Data related link.
  3. Click any of the related lists to view or add information for the security incident.
    Note: Raw data details are stored in an attachment to the enrichment data record. If they exceed the field limit, displayed details are truncated.
    Tab Description
    Security Enrichment Data Stores raw enrichment data from Security Incident Response workflows, such as retrieving network statistics or running processes.
    Running Processes Stores the records created by the Security Incident Response Get Running Processes workflow.
    Running Services Stores the records created by the Security Incident Response Get Running Services workflow.
    Network Statistics Stores the records created by the Security Incident Response Get Network Statistics workflow.
    Domain Lookups If the WhoisXML API Integration plugin is activated, store the records created by a Whois lookup.
    Firewall Logs Stores enrichment data from firewall logs, such as the Palo Alto Network firewall logs.
    Compromised User Info Stores account identified as being compromised through a Have I Been Pwned? lookup.
  4. Click any of the following related links to further update the security incident:
  5. When you have completed your entries, click Submit.