Review Incident Details
The Incident Details page shows detailed information about a specific threat. You can view the incident name, associated account, incident date, and additional sections that provide details specific to the type of incident.
You can also perform actions on the selected incident in various sections on the Incident Details page. For more information, go to Perform Actions to Remediate Incidents.
To open the Incident Details page:
- Select Monitor > Threats.
The Incidents page opens. - Click an incident.
The Incident Details page opens.
The sections shown on the Incident Details page vary by incident type and can include:
Threat Details
The Threat Details section includes different details specific to the incident type selected.
The details in this section can include:
- Type — The incident type:
- Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
- Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
- Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
- IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
- Malicious URL — A URL created to distribute malware, such as ransomware.
- Malicious IP — An IP address associated with malicious activity.
- Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
- PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
- Virus — Malicious code that enters computer systems.
- Unknown Program — Program was blocked because it has not yet been classified by WatchGuard Endpoint Security.
- Threat — The name of the threat. For some incident types, you can click a link to search Google or a third-party website for more information about the threat.
- Description — The description of the incident.
- Occurrences — The number of occurrences of the incident.
- First Seen — The date and time the incident was first detected.
- Last Seen — The date and time the incident was last detected.
- Intrusion Type — The type of intrusion.
- Automatic Response — The automatic action taken by the Firebox or endpoint device in response to the threat.
- Connection Blocked — Connection blocked.
- Process Blocked — Process blocked by an endpoint device.
- Device Isolated — Communication with device is blocked.
- File Deleted — File was classified as malware and deleted.
- IP Blocked — Network connections to and from this IP address are blocked.
- Process Killed — Process ended by an endpoint device.
- Recommendations — Suggested remediation actions to perform on the threat. Click a button to perform a recommended action or stop a previous action. For more information, go to Perform Actions to Remediate Incidents.
Recommendations for an incident on the Incident Details page determine what actions are available in the Actions drop-down list on the Incidents page. For example, if the recommended action for an incident is to isolate a device, the Isolate/Stop isolating device option is enabled in the Actions drop-down list.
- Risk — Risk level assigned to the incident. For more information, go to ThreatSync Incident Risk Levels and Scores.
- Other Details — Additional information related to the incident.
You can perform recommended actions in the Threat Details section, or stop a previously selected action. For more information, go to Perform Actions to Remediate Incidents.
File
The File section shows details about the flagged file, and can include the file name and file path.
You can perform actions directly from the File section. Click the lightning bolt icon to open the action menu. For more information, go to Perform Actions to Remediate Incidents.
Malicious URL
The Malicious URL section shows the URL of a malicious website.
Program or Compromised Program
The Program or Compromised Program section shows the path and name of the program file associated with the incident, and the MD5 value for the file.
You can perform actions directly from the Program or Compromised Program section. Click the lightning bolt icon to open the action menu. For more information, go to Perform Actions to Remediate Incidents.
Device
The Device section shows details about the devices affected by the incident.
If the threat affects both a Firebox and an endpoint device, the Incident Details page can include more than one Device section for the same incident .
The Device section includes these details:
- Device — Name of the device.
- Device Type — Type of device, either Firebox or Endpoint.
- IP Address — IP address of an endpoint device.
You can perform actions directly from the Device section. Click the lightning bolt icon to open the action menu. For more information, go to Perform Actions to Remediate Incidents.
Network Connection Details
The Network Connection Details section shows details about the network connection related to the incident, and enables you to block an IP address on eligible Fireboxes.
The Network Connection Details section varies by incident type and can include this information:
- Source Interface — Name of the interface that was the source of the traffic.
- Source IP — IP address that was the source of the traffic. To block an external IP address, click the lightning bolt icon
, and select Block IP on All Eligible Fireboxes.
- Source Port — Number of the port that was the source of the traffic.
- Destination Interface — Name of the interface that was the destination of the traffic.
- Destination IP — IP address that was the destination of the traffic.
- Destination Port — Number of the port that was the destination of the traffic.
- Protocol — Protocol used for the connection.
- Source — Source IP address was a botnet.
- Message — Firebox log message.
- Proxy Action — The profile (settings, sources, or destinations) for the proxy.
- Reason — Incident risk level.
- Task — The task UUID.
You can perform actions directly from the Network Connection Details section. Click the lightning bolt icon to open the action menu. For more information, go to Perform Actions to Remediate Incidents.