Analyzing an incident
In FortiSoC/Incidents & Events > Incidents, double-click an incident or right-click an incident and select Analysis.
The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.
In the incident information panel, you can change information collected about the incident.
In order to assist SOC analysts during their investigation, information including comments and reports can be attached to incidents.
In the Events panel, you can review and delete events attached to the incident. See Raising an incident.
The Analysis page includes the following information and features:
Panel |
Description |
---|---|
Incident information |
General information about the incident. Click Edit to modify the following information:
Click Refresh to manually update the displayed information. |
Affected Endpoint/User | Information about the affected endpoint/user. When multiple endpoints/users are associated with the incident, the total number is displayed and you can click the forward or backwards arrow on the tile to cycle between them. |
Executed Playbooks |
The history of executed playbooks related to the incident. Click Execute Playbook to run a playbook configured with the On_Demand trigger. See FortiSoC. |
Audit History |
Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made. Click Expand All to see additional details. |
Incident Timeline |
The timeline of the events raised for the incident. Scroll using your mouse wheel to change the displayed time frame. |
Comments |
Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list. Enter a comment and click POST to create a new comment. Existing comments can be edited and deleted by administrators. |
Events |
Displays the events that have been raised for this incident. |
Reports |
Attach and manage reports related to this incident. |
Indicators |
Displays indicators attached to an incident from FortiGuard, FortiMail, or event handlers. Hover your mouse over an indicator to view detailed information from FortiGuard or click Details under Results to view information from FortiMail including sender reputation and email statistics. Indicator information can be attached to incidents using the FortiGuard and FortiMail connector in FortiSoC playbooks, or when an incident is created from an event that includes indicators identified in the event handler. |
Affected Assets |
Displays affected asset(s) in a table. Includes the host, user, IP address, and MAC address of the asset. Selecting a user shows endpoint information in a window. |
Processes |
Displays endpoint processes associated with this incident including the process ID, process path, and network connection. Select a time period to view by choosing a snapshot from the snapshot dropdown. Processes can be displayed in a table format or as raw data. |
Software |
Displays endpoint software associated with this incident including the software, installation path, and installation time. Select a time period to view by choosing a snapshot from the snapshot dropdown. Software can be displayed in a table format or as raw data. |
Vulnerabilities |
Displays endpoint vulnerabilities associated with this incident including the vulnerability name, ID, severity, and category. Select a time period to view by choosing a snapshot from the snapshot dropdown. Vulnerabilities can be displayed in a table format or as raw data. |
Some features of incident analysis are only available with the applicable license. |