Applies To: WatchGuard Advanced EPDR
In Endpoint Security, an incident is a group of related signals that have a high probability of being a cyberattack. An incident groups signals found on the same device in your network, and helps you to identify, manage, and resolve the potential issue. Advanced EPDR can add signals to an incident up to seven days after the incident is created. You can also manually add or delete signals from an incident.
The Incidents list in the Endpoint Security management UI enables administrators to investigate and close incidents detected by Advanced EPDR. For more information, go to Close an Incident in Endpoint Security.
Incidents in Endpoint Security are not the same as those in ThreatSync. Incidents in Endpoint Security are a group of signals generated from events on the endpoint, as well as Indicators of Attack. The same incident might also appear in ThreatSync as multiple incidents. For information on how to manage incidents in ThreatSync, go to Perform Actions in ThreatSync.
To open the Incidents list, from the Endpoint Security management UI:
- On the Status page, next to My Lists, click Add.
- In the Add List dialog box, select Incidents.
The Incidents list opens.
To filter the list to show fewer incidents, click Filters. You can filter the list by Risk level, Status, Incident name, and update Dates.
To view incident details, select an incident from the list. For more information, go to Review Incident Details in Endpoint Security.
To view a list of the incidents detected on a specific computer, from the Incidents list:
- Click
in a row for an incident that occurred on the computer you are interested in. - Select View Incidents Detected on this Computer.
The Incidents list shows the incidents for the selected computer.
To view a list of the computers where an incident was detected, from the Incidents list:
- Click in a row for an incident.
- Select View Computers Where Incident was Detected.
The Incidents list shows the computers where the incident was detected.
About the Incidents List
To download the list to a .CSV file, click 
.
To create a new list from the existing list, click 
, select Copy.
The Incidents list includes this information:
Incident Name
The name of the incident provided by Advanced EPDR.
When the Merged label shows next to the incident name, it indicates that incidents that were initially separate have merged into a single incident. A tooltip lists the merged incidents. If there are more than 5 merged incidents, click Show All Merged Incidents to open a dialog box of the merged incidents.
When the Updated label shows next to the incident name, it indicates that an already reported incident now includes another new incident or has received a significant signal. The Updated label does not show for new signals added manually by the operator. After the operator review the incident details, the Updated label disappears.
Risk
The risk score and level of the incident. In Endpoint Security, risk level is divided into these categories, based on the risk score:
- Critical — Scores of 9 or 10
- High — Scores of 7 or 8
- Medium — Scores of 4, 5, or 6
- Low — Scores of 1, 2, or 3
- No risk — Score of 0
Endpoint Security determines the risk score for an endpoint based on the incident risk scores associated with the endpoint in the past 30 days. The endpoint risk score is the same as the value of the highest IOA risk score detected on the endpoint in the past 30 days. For example, if an endpoint has two open incidents in a 30-day period, one with an IOA risk score of 9 and the another with an IOA risk score of 7, the endpoint risk score is 9.
Endpoint Security uses only pending incidents to determine endpoint risk scores, not closed incidents. When a new incident occurs or an incident is closed, Endpoint Security recalculates the endpoint risk score. After the detection of a new incident, recalculated endpoint risk scores can take several seconds to appear in the Incidents list in the Endpoint Security management UI.
Endpoint Security determines the risk level for an endpoint based on its IOA risk score. Endpoint Security categorizes endpoint risk scores into these risk levels:
| Risk Level | Risk Score | Description |
|---|---|---|
| Critical | 9,10 | Endpoints with critical risk scores require immediate attention and investigation. |
| High | 7, 8 | We strongly recommend you investigate endpoints with high risk scores. |
| Medium | 4, 5, 6 | We recommend you investigate endpoints with medium risk scores. |
| Low | 1, 2, 3 | Investigate endpoints with low risk scores if you have the time and resources available. |
Signals
Number of signals or detections generated in response to potential threats or suspicious activities. Signals are the raw events that Endpoint Security combines to create the incident. For information on how to add or remove signals from an incident, go to Signals and Signal Details in Endpoint Security.
Computer
The name of the computer or number of computers affected by the incident.
User
The number of users or the name of the user affected by the incident.
File
The number of files or the file name affected by the incident.
Status
The status of the incident (Pending or Closed). For more information, go to Close an Incident in Endpoint Security.
Last Update
The date and time when incident details were last updated. This only appears for incidents that have been updated and show and Updated label.
Close an Incident in Endpoint Security
After you analyze and resolve an incident, you can mark it as closed.
To mark an Endpoint Security incident as closed, from the Incidents list:
- Click in a row for an incident with a Pending status.
- Select Close Incident.
The incident status updates to Closed.
You can also close multiple incidents at one time. Select the check boxes and then click Close Incident.
Filter the List for an Incident or Computer
To view all of the incidents detected on a specific computer, from the Incidents list:
- Click in the row for an incident that occurred on the computer you want to see all of the incidents for.
- Select View the incidents detected on this computer.
The Incidents list is filtered for the computer.
To view all of the computers where an incident was detected, from the Incidents list:
- Click in the row for an incident you want to see all of the affected computers for.
- Select View computers on which this incident was detected.
The Incidents list is filtered for the incident.