Monitoring Incidents

Use the Incidents page to view all incidents related to an endpoint on a user timeline view.

To view the Incidents page, select Monitor>Insights>Incidents.

There are two ways to view your data. You can either select the Grid or Plot view. By default, the data is displayed in Grid view. In the Timeline section, you can select a log parser from the list to view log data in the timeline graph. You can zoom in, zoom out, show all data, and reset the data.

Grid View

Click the Grid View link for a comprehensive details on incidents. You can view the incident ID, state of the incident, progression, and so on. Table 65 describes different fields available in this view. You can view data for a custom time range, last 24 hours, last week, last month, and last year.

Table 65: Fields on the Grid View Page

 

Field Name

Description

Status

Specifies the state of an incident.

Incident ID

Specifies the incident ID.

Risk

Specifies the threat metric and severity rating.

Progression

Specifies the progression of an incident

Threat Target

Specifies the IP address of the targeted host.

Date & Time

Specifies the timestamp of the incident.

Plot View

Click the Plot View link for a brief summary of incidents represented in a Soar Bubble Chart. Each bubble represents a host and the bubble size is proportional to the number of threats.

You can view data for a custom time range, last 24 hours, last week, last month, and last year.