Review Incident Details in Endpoint Security

Applies To: WatchGuard Advanced EPDR

On the Incident Details page, you can review and analyze the signals that led to the detection of an Endpoint Security security incident. A signal is a group of events and an incident includes one or more signals.

Incidents in Endpoint Security are not the same as those in ThreatSync. Incidents in Endpoint Security are a group of signals generated from events on the endpoint, as well as Indicators of Attack. The same incident might also appear in ThreatSync as multiple incidents. For information on how to manage incidents in ThreatSync, go to Perform Actions in ThreatSync.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Manage Incidents permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To open the Incident Details page, from the Endpoint Security management UI:

  1. On the Status page, next to My Lists, click Add.
  2. In the Add List dialog box, select Incidents.

Screen shot of Incidents list in Advanced EPDR

  1. From the Incidents list, click the name of the incident you want to investigate.
    The Incident Details page opens.

Screen shot of Incidents Details page in Advanced EPDR

Signals and Signal Details in Endpoint Security

The Incident Details page is divided into three sections. The left pane is the Signals pane and the right pane is the Details pane. The middle of the page shows the Incident Graph and process tree. For more information, go to Incident Graph and Process Tree .

Signals Pane

The Signals pane lists the signals included in the incident. Signals are events that Endpoint Security combines to create an incident. For each signal, you can view the name of the signal defined by Advanced EPDR, the date and time when it was detected, the name of the affected device (entity), the MITRE technique (for example, #T1003.001), and any action taken (for example, Allow) by Advanced EPDR. When the information is available, the remote IP address of the computer might also show.

The color of the circle next to the signal indicates the risk level:

  • Dark red: Risk levels 9 and 10
  • Red: Risk levels 7 and 8
  • Orange: Risk levels 4, 5, and 6
  • Gray: Risk levels 1, 2, and 3
  • Green: No risk

Screen shot of Incidents Details signals pane in Advanced EPDR

In the Signals pane, you can:

  • Show and hide signals in the list. When you hide a signal, it is also hidden from the Incident Graph and process tree. To hide a signal, click Hide icon next to the signal. The signal will reappear in the list if it is detected again within 7 days.
  • Refresh the list of signals. To refresh the list of signals, click Refresh icon. Advanced EPDR can add signals to an incident up to seven days after it is created.
  • Add and delete signals from the incident. Click Add icon. From the Add Signals list, select the signals you want to include in the incident. Click Add. The Incident Graph updates to include the new signals. You can only delete signals that you added manually.
  • Select a signal from the list to review information in the Details pane.
  • Start a computer investigation. For more information, go to Create a Computer Investigation.
  • View the computer telemetry associated with the signal in an activity graph. For information on the display, go to Configure Graph Settings.
  • Allow a signal and not detect it again. Select the signal and then click . Select Do Not Detect Again. Specify the endpoints, groups, and conditions when Endpoint Security automatically removes a signal from an incident. The signal program and its libraries are not detected or blocked going forward. After one month, signals that were removed from an incident are automatically deleted.
  • View computer details. For more information, go to Computer Details in Endpoint Security.

Advanced users can click Add icon above the list to create an SQL query of the event telemetry logged on the affected computer. For more information, go to About the Advanced SQL Query Tool.

Screen shot of Incident Details page in Advanced EPDR, Advanced SQL Query

Details Pane

The Details pane shows detailed information specific to the incident or a selected signal. When you select a signal and then a process from the process tree, the Details pane shows process event information. For information on the process tree, go to Process Tree .

The Details pane for an incident includes Details and Entities of Interest pages.

Screen shot of Incident Details, Details page, in Advanced EPDR

Details Page

The Details page shows the affected account name, date and time when the incident occurred, and any identified MITRE techniques. Point to a MITRE technique to show information about the technique.

Entities of Interest Page

On the Entities of Interest page, you can review a list of components directly involved or affected by the signal. Entities of interest contain the information that Advanced EPDR uses to generate signals, as well as other details gathered from the analysis performed by the security software.

From the Entities of Interest page, click More options icon to:

  • Copy the name of the entity (computer, user, or file name).
  • Start a computer investigation. For more information, go to Create a Computer Investigation.
  • View the computer details for the affected computer. For more information, go to Computer Details in Endpoint Security.
  • Start an assisted investigation to view information about the events logged on the computer through interactive searches and results.
  • View static file information (binary files only).

Signal Details

When you select a signal from the list, the signal name appears at the top of the Details pane, followed by the raw data received by Advanced EPDR for the signal.

Screen shot of Incident details in Advanced EPDR

The data that appears on the Details page varies based on the incident and the data received for that signal. The Details page could include this information:

  • General Information — Information includes the computer the signal was detected on, the date and time of detection, and whether it accessed data or communicated externally.
  • Threat Details — Information for signals generated from detection of malware, PUPs, exploits, vulnerable drivers, and other attacks.
  • Related Event — Information about events that led to the generation of the signal.
  • Reclassification Information — Information about classification of an unknown item.
  • Evidence Data — Information about the context in which an indicator of attack was detected.
  • Exploit Information — Information about the context in which an exploit attack was detected.
  • Network Attack Information — Information about the remote computer that carried out a network attack.

On the MITRE page, you can review a list of the MITRE techniques used in the signal. Click a link to review more information on the MITRE website. The MITRE page only shows when the signal has MITRE techniques and sub-techniques assigned.

Screen shot of Incident Details MITRE page in Advanced EPDR

Incident Graph

The Incident Graph is a visual representation of the assets related to the incident. To simplify the graph, enable the Group Assets toggle to group affected assets of the same type in a circle. The number of assets in the group shows below the circle (for example, 4 files, 3 processes).

Screen shot of Incidents Details Incident graph in Advanced EPDR

Assets that could show in the Incident Graph include:

  • Logged-in user
  • Remote user
  • Computer
  • Remote computer
  • Process
  • IP address
  • File

Right-click the Incident Graph and select an option to:

To remove an entity of interest from the graph, in the Incident Graph, right-click the entity of interest and select Hide Related Signals.

Process Tree

The process tree below the Incident Graph shows the sequence of events that generated the signal, the signal, and its severity. Advanced EPDR includes processes logged up to seven days before the signal was generated in the process tree.

Screen shot of Incidents Details, process tree in Advanced EPDR

When you select a line from the process tree, information on the process event shows in the Details pane. To review information about the signal, select the process tree line with the Incident lightning icon icon.

To search for a specific process, type the name of a process (for example, svchost.exe) in the search text box. The tree shows only processes that contain the text you entered.

To expand all child processes in the tree, click E above the tree. To collapse the tree and show only parent processes, click C above the tree.

To expand and collapse a process and child processes in the tree, click the arrow on the left side of a parent process.

Screen shot of Incident Details, process tree, in Advanced EPDR

In the process tree, each event includes this information:

  • Date and time when the child event was created or the signal was logged
  • Parent process identification number (for example, 998142036)
  • Parent process name (for example, winrar.exe, or svchost.exe)
  • Child process name (for example, taskhostw.exe logon)
  • Severity of the signal (for example, Critical, High, Medium, Low, No Risk)
  • Name of the signal (for example, MalwareCreationRule)

Related Topics

Manage Incidents in Endpoint Security

Create a Computer Investigation

Computer Details in Endpoint Security

About the GenAI Assistant in Endpoint Security