Manage security incidents and inbound requests After a security incident has been created, there are numerous types of information that can be added and viewed as your analysis of the issue progresses toward resolution. Create an inbound requestUnlike security incidents, inbound requests are generally of a lower priority. Requests for a lookup, scan, or a new badge are examples of inbound requests. Manage observablesObservables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files or URLs, or domain names. Threat Intelligence observable table data is available from within a security incident.Manage lookups and scansYou can perform lookups and vulnerability scans from security incidents and from the security incident catalog to identify potential threats and vulnerabilities. Manage on-demand orchestrationDuring Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration. Add information to a security incidentAfter a security incident is created, you can add more details to aid in analysis, such as access roles and different kinds of notes.Invoke a process dump for an enriched process in WindowsA security analyst can run a process dump on a specific process, dump it into a file, and post it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis.View information in a security incidentYou can perform several other actions on an existing security incident using the related links.Calculate the severity of a security incidentYou can calculate the severity of a security incident using predefined calculators.Search for and delete phishing emailsDeleting phishing emails can help reduce exposure to a specific attack across an organization. You can manage phishing emails on your email server by searching, granting approvals, and deleting them. Escalate a security incidentIf an escalation path exists for a security incident, the Escalate button is available in the security incident header. Manage post incident activitiesBased on the requirements of your business, a review of the origins and handling of security incidents is often needed. Close security incidentsWhen a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.
Manage security incidents and inbound requests After a security incident has been created, there are numerous types of information that can be added and viewed as your analysis of the issue progresses toward resolution. Create an inbound requestUnlike security incidents, inbound requests are generally of a lower priority. Requests for a lookup, scan, or a new badge are examples of inbound requests. Manage observablesObservables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files or URLs, or domain names. Threat Intelligence observable table data is available from within a security incident.Manage lookups and scansYou can perform lookups and vulnerability scans from security incidents and from the security incident catalog to identify potential threats and vulnerabilities. Manage on-demand orchestrationDuring Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration. Add information to a security incidentAfter a security incident is created, you can add more details to aid in analysis, such as access roles and different kinds of notes.Invoke a process dump for an enriched process in WindowsA security analyst can run a process dump on a specific process, dump it into a file, and post it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis.View information in a security incidentYou can perform several other actions on an existing security incident using the related links.Calculate the severity of a security incidentYou can calculate the severity of a security incident using predefined calculators.Search for and delete phishing emailsDeleting phishing emails can help reduce exposure to a specific attack across an organization. You can manage phishing emails on your email server by searching, granting approvals, and deleting them. Escalate a security incidentIf an escalation path exists for a security incident, the Escalate button is available in the security incident header. Manage post incident activitiesBased on the requirements of your business, a review of the origins and handling of security incidents is often needed. Close security incidentsWhen a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.
