Investigating Incidents
The Incidents section helps you filter, investigate and take actions on all security events detected by Incidents Sensor over a specific time interval.
This section contains the following features:
Incidents: view and investigate incidents.
Blocklist: manage blocked files from incidents.
Search: query the security events database.
Custom rules: create custom rules for exclusions or detections
Note
Availability and functioning of these features may differ depending on the license included in your current plan.
The Incidents page
The Incidents page provides a highly customizable grid that displays a list of EDR/XDR incidents generated for your managed companies in the last 90 days.
This page contains the following areas:
The Smart views panel toggle button. This feature allows you to customize, save, and switch between different loadouts of the Incidents page.
The panel has the following sections:
Search views - Use this search field to filter out the views displayed in the sections below, by name.
Saved - This section displays a list of all your saved views that have not been marked as favorites.
Favorites - All views marked as favorites are displayed under this section.
Defaults - This section displays the views that are available by default:
All incidents
Assigned to you
Endpoint incidents
Organization incidents
For any view in the Saved or Favorites category, you can click to Rename or Delete the view.
The View options menu. This section provides you with multiple functions for working with views:
Save: use this option to save changes you make to a saved view.
Save as: allows you to save a modified view under a different name.
Discard changes: reverts the saved view to its original state.
Add to favorites: adds the view to the Favorites category.
Show or hide filters - hide or display the filters menu.
Open settings - Displays the Settings panel.
You can use this panel to customize what columns are displayed in the view and enable or disable the Compact view.
The Filters section. You can use these options to customize the incidents that are displayed in the below grid.
The following filters are currently available:
Filtering option
Details
ID
Type in a complete ID number for the incident you are looking for.
Only incidents with matching IDs are displayed.
Created on
Select a specific date range.
Only incidents that were created in that time period are displayed.
Last updated on
Select a specific date range.
Only incidents that were last updated in that time period are displayed.
Status
Select one or more of the following statuses:
All - Displays all incidents, regardless of their status.
Open - Incidents that have not yet been investigated.
Investigating - Incident currently under investigation.
False Positive - Incidents labeled as false alarm
Closed - Incidents where the investigation was closed.
Assignee
Select a GravityZone user from the list.
Only incidents assigned to the selected user are displayed.
Priority
Select one or more of the available priorities:
All
Unknown
Low
Medium
High
Critical
Only incidents with the selected priorities are displayed.
Severity score
Drag the two toggles in the slide bar or type in specific values to specify a range for the Severity score.
The Severity score is a number between 10 and 100, indicating how potentially dangerous a security event is. The higher the score, the more certain the event is dangerous. It provides context based on the attack indicators and ATT&CK Techniques, if applicable.
Only incidents with severity scores between the selected values are displayed.
Entities
Select one or more items from the list of known network entities.
Only incidents that are related to the selected entities are displayed.
Actions taken
Select one or more of the following options:
All
Reported
Blocked
Partially blocked
Only incidents with the selected actions assigned are displayed.
Correlated incidents
Type in a complete ID number for the child correlated incident you are looking for.
The parent correlated incident with matching IDs is displayed.
Resources
Select one or more items from the list of known resources involved in incidents.
Only incidents that are related to the selected resources are displayed.
Last killchain phase
Select one or more of the available options. The filter provides a list of attack phases, based on the Mitre matrix.
Only incidents that involved attacks that ended in one of the selected phases are displayed.
Incident type
Select between the available incident types. Selecting one of the below options will change the information displayed in the grid:
All - both Endpoint and Organization incidents are displayed in the grid.
Only Endpoint incidents that are not correlated to an XDR incident are displayed as a separate entry. All other Endpoint incidents are displayed under the Correlated Incidents column on the same line with the Organizational incident they are associated with.
Endpoint incidents - only Endpoint incidents are displayed when this is the only option selected. This includes both incidents that are associated with an Organization incidents and those that are not.
When both Endpoint incidents and Organization incidents options are checked, the Endpoint Incidents will be displayed under the Correlated incidents column if they are part of that Organization incident, if not, they will be displayed as a separate entry in the grid
Organization incidents - only organizational incidents are displayed in the grid.
If the Organization incident has any Endpoint incidents associated to it, they will be displayed under the Correlated Incidents column.
Parameter
Select between the available parameters:
Alert name - The name of the alert involved in the incident.
Att&ck technique - The name of the Mitre technique used in the incident.
Att&ck technique ID - The ID of the Mitre technique used in the attack.
Att&ck subtechnique - The name of the Mitre subtechnique used in the attack.
Att&ck subtechnique ID - The ID of the Mitre subtechnique ID used in the attack.
IP - The IP address involved in the incident.
MD5 - The md5 hash of the file involved in the incident.
SHA256 - The sha256 hash of the file involved in the incident.
Node name - The name of the node involved in the incident.
User name - The username involved in the incident.
File name - The name of the file involved in the incident.
File path - The path of a file involved in the incident.
URL - The URL involved in the incident.
MAC - The MAC address involved in the incident.
Email subject - The subject of the email involved in the incident.
Email address - The email address involved in the incident.
Process name - The name of the process involved in the incident.
Process path - The path of the process involved in the incident.
Process PID - The identifier of the process involved in the incident.
Registry key - The registry key involved in the incident.
Detection rue ID - The ID of the Custom detection rule.
The Incidents Grid. The grid displays all incidents not older than 90 days that conform to the currently applied filter.
The information available for each incidents is displayed under the following columns:
ID - The ID of the incident.
Click on the incident number to display additional information regarding the incident.
Select the checkbox next to each incident number to include the incident when performing a Change status bulk action.
Created on - The date when the incident was created
Last updated on - The date when the incident was last updated.
Status - The status of the incident.
Assignee - The security analyst assigned to the incident.
Priority - The priority assigned to the incident.
Severity score - The severity score assigned to the incident.
Entities - A list of entities involved in the incident.
Click on any of the entities to display the Entities panel.
Actions taken - The action taken after investigating the incident.
Correlated incidents - The ID of child incidents correlated with the one displayed in the grid.
Resources - A list of related resources.
Click on any of the entities to display the Resources panel.
Last killchain phase - The last attack phase of the attack, based on the Mitre matrix.
Incident type - The type of the incident.
Note
More details regarding the information in each column are available type in the Filters section.
The Incident actions button. The button provides the following options:
View events and alerts - Selecting this options opens the Historical Incident Search page and automatically populates the search field with search parameters related to the incident.
The Change status button. Use this action to perform a bulk action on all selected endpoints from the grid below.
A confirmation window is displayed.
The window provides you with a Apply status change to all correlated incidents checkbox. Select it to also apply the new status to all incidents that are correlated to the ones you have selected.
Additionally, you can use the Notes text box to leave a comment on the reason for changing the incident status. The note will be added to the ones already added to the incident.
Managing incidents
In the Incidents page, you can perform the following actions:
View incident details
To display additional information regarding any specific incident, use one of the methods below:
Display the Incident details panel: click anywhere on the row belonging to the incident you want to view (except the ID, Resources, and Entities columns):
Display the Extended Incident Overview: click on its ID under the ID column. Incident information is listed in a rich card format, providing an overview of each incident, with information based on the selected filters.
Tip
Alternatively, you can copy the link to the incident by hovering your cursor to the right of the ID column and clicking on the Copy button when it appears.
For more information refer to Investigating Organization Incidents and Investigating an Endpoint Incident.
Changing the status of incidents
The investigation status helps you keep track of incidents that have already been investigated, and marked as closed or false positive, incidents that are currently under investigation, and open, or new incidents that have yet to be analyzed.
Follow these steps to change the status of one or multiple security events:
Select the checkboxes under the ID column for all the incidents you want to change the status. Incidents will remain selected when you move between grid pages.
Tip
Clicking on the checkbox located in the table header row will select all the incidents displayed on the page.
Click the Change status button.
A list of available statuses is displayed:
Select one of the available statuses:
Open - The investigation of the incident has not started.
Investigating - You have started investigating the incident.
False Positive - The investigation resulted that the trigger of the incident was a false positive.
Closed - The investigation of the incident has concluded.
A confirmation window is displayed.
The window provides you with a Apply status change to all correlated incidents checkbox. Select it to also apply the new status to all incidents that are correlated to the ones you have selected.
Additionally, you can use the Notes text box to leave a comment on the reason for changing the incident status. The note will be added to the ones already added to the incident.
Click Change to confirm the request.
View events and alerts related to an incident
You can directly search for all events and alerts related to an incident by following the steps below:
Click the menu button on the right side of the grid corresponding with the incident for which you want to get more information.
Select View events and alerts:
The Search page is opened in a new browser tab. The Query field is automatically populated with a string that contains information from the selected incident and the search results are displayed below.
Delete suspicious Gmail emails from an Incident
You can delete suspicious emails from the Organization Incident View by using one of the methods below:
Tip
This feature is only available for integrated Google Workspace tenants.
From Organization Incident Alerts:
Open the Organization Incident View for the incident where the email you want to delete was involved.
Go to the Alerts tab.
Click on the alert that was triggered by the email.
The alert's Extended Panel is displayed.
Scroll down to the Resources section of the panel and click the Delete email button:
From Organization Incident Alerts:
Open the Organization Incident View for the incident where the email you want to delete was involved.
In the Overview tab, look for the Response section.
In the Action needed tab, under the Remediation section, click View details.
Note
The request will be recorded in GravityZone under User activity.
Take action on a Google account from an Incident
You can take action on suspicious accounts from the Organization Incident View by using one of the methods below. For the purpose of this guide, we will demonstrate how to deactivate an account:
Tip
This feature is only available for integrated Google Workspace and Google Cloud Platform tenants.
From Organization Incident Graph:
Open the Organization Incident View for the incident where the email you want to delete was involved.
Go to the Graph tab.
Click on the node that corresponds to the account you want to suspend:
The Entity Details pane is displayed.
Under the Remediation section, click Deactivate account:
From Organization Incident Alerts:
Open the Organization Incident View for the incident where the email you want to delete was involved.
In the Overview tab, look for the Response section.
In the Action needed tab, under the Remediation section, click View details.
Investigating Organization Incidents
When selected from Smart views, in the Incidents page, the Organization incidents view displays all the complex incidents detected at global level in your environment, that may affect your entire network.
Each incident has a dedicated view which displays correlated events that have occurred in your environment, offering you network-wide perspective on a potential staged attack.
Important
Availability of the XDR feature differs depending on the license included in your current plan.
In the incidents page, click the Smart Views button.
The Smart views panel is displayed.
Select Organization incidents.
Now only Organization incidents are displayed in the Incidents grid.
Identify the security event you want to analyze and click the link under the ID column.
You can also click the card of any incident to open its side panel and quickly analyze the incident indicators, or click the View incident button to start an in-depth analysis.
The incident opens by default in the Organization Incident Overview section.
In the Overview tab you can see the root cause of the incident, as well as other insights on how the attack on your organization was performed. You can also see the techniques that were used, the company resources that were involved in the different stages of the kill chain.
The Response widget provides you with recommendations and actions you can take for immediate containment of the most imminent threats.
Consult the Actions needed tab to see what actions you need to take to eliminate or minimize active threats.
Consult the Actions executed tab to see what actions have already been taken to eliminate or minimize threats.
Note
Learn more about actions you can take to mitigate threats in the Response section.
Open the Graph view to see the graphic representation of the extended incident. Learn more about the Graph elements here.
Optionally, use the Activity panel to display the sequence of events either by time or by the relevance in the attack kill-chain.
Select the interaction nodes with the highest severity, to analyze the details available in the side panel, including:
The source and target of the interaction.
The alerts that have spawned during this process and a summary of associated resources.
Important
Interactions marked red include alerts of high severity, and should be analyzed with priority.
If you want to dig deeper, open each alert to display additional information, including alert indicators, artifacts involved, interactions, resources used, attack techniques, and recommendations.
When viewing node details, you have several action options:
Use the Isolate host action to isolate the endpoint from the rest of the network.
Go to View full endpoint details > Investigation, and collect additional forensic data to aid you in the threat hunting process. For more details see Forensic Data Gathering.
Use the Remote Shell action to start a remote shell session mitigate threats directly on the affected endpoints. Learn more about remote shell sessions here.
For compromised users, open the side panel of the user node and take actions such as:
Disable user - to disable the account of a user that has been involved in spreading the attack in your environment.
Force credentials reset - to enforce a password change for a specific user account at the next login operation.
Mark user as compromised - to add the user to the Risky users report in Azure AD > Security.
Deactivate AWS account - to create and apply a policy that deactivates the AWS user account and deletes the associated access keys. This action is available for users who have activated The AWS sensor.
Important
Users that are involved in malicious or suspicious interactions are represented by a specific identity node, and dynamic dotted lines showing what other assets in your environment they may have compromised.
To continue with your investigation, navigate to the Alerts window, to see every event correlated as part of the incident in detail.
Organization Incident Overview
The Overview page offers a synopsis of the extended incident you are investigating, displaying information about severity of the incident, and key security events that have occurred in your environment, as well affected organization resources.
The data available on the investigated incident is grouped in the following categories:
Summary
The Summary outlines what happened in the incident, showing the Root cause analysis of the incident, as well as Initial Access, alerts triggered by ATT&CK tactics and techniques, and resources impacted by the incident.
Click the security risks to open the details panel.
It contains links to Endpoint Risk Analytics (ERA) for further investigation.
Note
If there is only one risk displayed, clicking it does not open its details panel, but instead it redirects you to ERA.
Organization Impact
The Organization Impact displays all the resources involved in the incident, including affected servers and endpoints, databases, compromising emails, and more.
Suspected actors
This section provides details for identifying and determining the individuals, groups, or organizations behind a cyber threat or attack.
By default, the first actor dropdown is opened. Each actor displays the following information:
Actor name - The name of the actor and an associated icon
Confidence - Percentage of confidence that an actor was involved in that incident
Actor description - The actor description
Pivoting button to IntelliZone. When clicking the pivot button, a new tab is opened with the a query ran in IntelliZone basic search for that IoC
Note
This feature requires an active integration with the IntelliZone console.
For more information, refer to this kb article.
Alias - Other names given to the actor in the security landscape.
Motivation - The goal observed for the actor's attack (information theft, espionage, etc.).
Sponsor - Who may sponsor that actor.
eCrime - Type of cybersecurity crime that they are known for.
First detected on - the date this actor first targeted your company.
Targets your country - Indicates if this actor usually targets the country of the company the incident occurred in.
Targets your industry - Indicates if this actor usually targets the industry of the company the incident occurred in.
Involved in - The incidents in which the actor was involved.
CVEs - List of CVE ids in the current incident.
IoCs - List of Indicators of Compromise in the current incident.
Clicking on the displayed number of IoCs, the IoC details side panel is displayed, which provides you with a breakdown of indicators, grouped by type.
MITRE techniques - MITRE techniques usually used by the actor and in the current incident.
Clicking on the displayed number of techniques, the MITRE Techniques side panel is displayed, which provides you with a specific list of techniques.
ATT&CK Tactics and Techniques
This section displays all the MITRE ATT&CK Tactics and Techniques used in the current attack.
Highlights
The Highlights display the kill chain stages within the investigated incident that have the highest impact on your organization.
Click the View in Graph button to see the all the security events grouped by kill chain in the Activity panel.
Response
The Response area provides specific actions you can take to mitigate threats within an extended incident to quickly minimize the potential damage done to your environment.
Consult the Actions needed tab to see what actions you need to take to eliminate or minimize active threats.
Consult the Actions executed tab to see what actions have already been taken to eliminate or minimize threats.
Select View Details to navigate to the Response tab where you can perform all the needed actions, see executed ones and change their status accordingly.
Associated risks
The Associated risks widget provides a summary of risks linked to entities in that specific incident and includes the following sections:
The associated risks graph - A graphical representation of the distribution of risks among the various node and resource types from that specific incident.
Clicking on any of the sections of the graph or on the View all risks button displays the Associated risks panel.
Root cause risks - This section provides a list of all the root cause risks detected for this incident.
Top 5 risks from Risk Management - This list displays the top 5 most severe risks affecting node and resource types in this incident.
Top 5 risks from Cloud Security - This list displays the top 5 most severe risks affecting node and resource types in the incident.
Clicking on any section of the graph, any element in the Root cause risks, Top 5 risks from Risk Management, or Top 5 risks from Cloud Security section, or clicking the View all risks button displays the Associated risks panel:
The panel has two tabs:
Risk Management. This tab provides all associated risks originating from the Endpoint Risk Analytics feature.
Clicking on the menu button on the right side of an endpoint provides the following options:
View device risks - Pivots to Risk management > Devices with a filter applied for the device name.
View findings - Pivots to Risk management > Misconfigurations with a filter applied for the Misconfiguration name.
Cloud Security. This tab provides all associated risks originating from the Cloud Security console.
Clicking on the menu button on the right side of an endpoint provides the following options:
View rule - Pivots to Cloud Security > Posture Management > Rules with a filter applied for the finding name.
View resources - Pivots to Cloud Security > Posture Management > Resources with filters applied for the resource type and finding details.
Organization Incident Graph
The Graph displays a dynamic graphic representation of the extended incident under investigation, providing a detailed activity timeline with the sequence of correlated events caused by external agents, that have occurred or are still active in your environment, on multiple endpoints and network devices.
The incident graph section is grouped into two major areas:
1. Activity panel
It includes all the alerts detected and correlated in the extended incident you are investigating.
From the drop-down menu you can group the alerts by time, or by their place in the kill chain.
To view the evolution of the attack, group the alerts by time, and go through each one.
The graph animation will show you how the attack has unfolded in your environment, performing lateral movement to jump from one entity to another, exfiltrating data, etc.
Upon clicking, each alert is expanded in the timeline, displaying its name, a description of what has occurred, as well as info like the severity of the alert, the sensor that made the detection, timestamp, place in the kill chain, affected endpoints, IP.
If the same alert has been detected on multiple endpoints, you can further investigate them by expanding a side panel that displays a list of them.
If the alert is also part of an endpoint incident, you can further investigate it by opening it in a new browser tab.
If you want to view additional information about this alert, click View more details to expand its details panel.
2. Graph panel
The graph contains the these elements:
Initial access represents the first contact of an attacker with your environment.
Exit points represent exfiltration and command & control events.
Incident progression represents the spreading of the attack in your organization.
The transitions between nodes represent the interactions between the entities involved in the incident. They are displayed as elements with different colors, depending on the severity of alerts triggered as a result of the interaction.
The graph supports and displays specific elements from data provided by all the sensors you have integrated in GravityZone. Learn more about all the sensors you can integrate to enhance your XDR here.
The Search nodes bar provides the following features:
Search for nodes by name
Hide alerts labels
The Legend displays the types of elements correlated in the extended incident you are analyzing. You can search names or file extensions of incident components in the search field and the results will be displayed in the side panel.
The Navigator enables you to quickly move through the incident graph and explore all displayed elements by using the mini-map and the different levels of visualization.
Click and hold the Drag icon to position the floating Navigator panel anywhere inside the incident graph.
The Navigator is collapsed by default. When expanding it, the menu will display the miniaturized version of the entire incident map, and action buttons to adjust the level of visualization.
Organization Incident Alerts
Use the Alerts page to view how the sequence of events unfolded into triggering the currently investigated incident. This window displays the correlated system events and alerts detected by GravityZone technologies such as EDR, Network Attack Defense, Anomaly Detection, Advanced Anti-Exploit, Windows Antimalware Scan Interface (AMSI).
Every complex event has a detailed description explaining what was detected and what might happen if the artifact is used for malicious purposes, in accordance with the latest MITRE techniques and tactics.
Every alert is described in detail, including the used ATT&CK technique, its place in the kill chain, and how it affects your organization.
You can filter these alerts by using the following options:
Use the All sensors drop-down menu to enable alerts from all sensors, or just one of the sensors.
Use the All Kill Chain Phases drop-down menu to enable alerts that are part of a certain phase in the kill chain, from all kills chain phases.
Use the Search field to search alerts by name or file extension.
Organization Incident Response
The Response page is where you can take immediate actions to eliminate or minimize threats discovered in your environment, displayed in the extended incident you are investigating.
All actions are available in a dynamic grid formation with multiple filtering and sorting options, such as filtering by action type, action status, date and time of execution, and more.
The Response page provides default smart views that you can use to access actions that need immediate attention, actions that have been executed already, or actions that have been dismissed.
Select the Action needed view so you can execute urgent actions to protect your environment.
Execute each task individually, or select all of them from the grid for bulk execution.
To execute a task individually, you can select it from the grid and click the Execute button, or access its menu and click Execute.
To execute bulk actions, select multiple or all actions from the grid and click Execute.
Upon executing an action, its status goes though several stages: Action needed > Pending > In progress.
If the action can be completed by the system, its status changes to Successful, and the executed action is moved and available to access in the Actions executed view.
If the action cannot be completed by the system, its status changes to Failed and the action stays in the Actions needed view until you execute it successfully.
If you don't need to execute an action, manage it from the Manage menu, or from the action's card menu.
Use the Mark as done option for actions that are no longer needed because they may have been completed using a different method. These actions are moved to the Actions executed view.
Use the Dismiss option to remove useless actions. These actions are moved to the Actions dismissed view.
You can restore any dismissed or marked as done action to its previous status.
Important
Actions with the External action needed status cannot be automatically executed from the Response page and you have to execute them manually. Afterwards, you can mark it as done or dismiss it, depending on how you choose to act.
Response actions
The actions you can take in Response page > Action needed view to minimize or eliminate threats in your environment are grouped in the following categories:
Isolate host - isolates an endpoint in your environment to contain the spreading of potentially malicious activities, such as Lateral movement, to other workstations. When an endpoint is isolated, it can only communicate with GravityZone.
Block user - locks the account of a user. This action is specific for every type of user involved in an incident, from multiple sources, such as Microsoft O65, Active Directory, or Azure AD.
Force credentials reset - prompts a specific user to change the account password at the next login.
Mark user as compromised - adds the user to the Risky users report in Azure AD > Security.
Deactivate AWS account - to create and apply a policy that deactivates the AWS user account and deletes the associated access keys. This action is available for users who have activated The AWS sensor.
Delete email - delete suspicious emails to prevent the spreading and execution of malicious payloads in your organization.
Manage asset - recommends the installation of a security solution on an unmanaged asset within in your organization.
Tip
To harden the security posture of your company you can reduce the surface of potential attacks by ensuring proper system configuration. Learn more about hardening measures you can take in Security Risks. Additional info is also available in GravityZone Indicators of Risk.
Status Bar
The status bar provides security event tags that can help you detect key information about the extended incident you are analyzing.
Incident ID - the id number of the incident under investigation.
Status - the status of the incident.
Assignee - the user that the incident is assigned to.
Priority - the priority of each incident.
Notes - this button provides a list of analyst notes.
History - this button provides the history of the incident.
Tip
Clicking the Back button takes you back to the Incidents page.
Notes clipboard
The Notes clipboard provides an easy way to add notes to incidents for tracking changes and incident ownership.
Displaying notes
To display a list of available notes click the Notes button on the right side of the Status bar:
Note
Alongside each note, the user name of it's creator will be displayed. If the user belongs to a partner company, the name Partner
will be displayed instead.
Adding a note
To add a note, follow the steps below:
Click the Add note button on the lower rights side of the clipboard.
Fill in the note information.
Note
Each note can contain up to of 2,048 characters.
Select Save.
Note
In case of bulk actions, a single note will be added in bulk for all incidents.
Editing a note
To edit a note, follow the steps below:
Select the Menu button on the right side of the note you wish to edit.
Select Edit.
Make the necessary modifications:
Note
Each note can contain up to of 2,048 characters.
Select Save.
Note
If you wish to cancel editing the note, click Cancel, then select Discard.
Deleting a note
To delete a note, follow the steps below:
Select the Menu button on the right side of the note you wish to delete.
Select Delete.
Note
This option is only available for your own notes.
Select Delete again.
History Clipboard
The History panel provides an easy way to track the history of an incident. The following events are tracked:
Status changes
Assigning or reassigning an incident
Setting or changing an incident's priority
Adding, editing, or deleting an incident note
Creating an incident
Updating an incident
The list is displayed in chronological order from newest at the bottom to oldest at the top:
Each event will contain the following information:
The type of the event
A description of the event
The date and time on which the event occurred
The username of the person who performed the action
Note
If the user belongs to a partner company, the name
Partner
will be displayed instead.
XDR demo mode
The XDR demo mode feature simulates a scenario from multiple sensors and showcases the capabilities of the XDR feature.
To enable this feature, click the Show demo incident button on the upper right side of the Incidents page:
Once enabled, the following entities and information is made available:
An XDR parent incident includes a #DEMO tag that displays a scenario containing an Azure AD integration.
Multiple EDR incidents appear in the Correlated incidents column of the parent XDR incident.
Raw events, alerts, and xalerts. You can search for them using the
alert.incident_number: Demo
in combination with any other search parameters query in the Search page.Tip
Use
AND
when combining multiple search parameters.Example - display all alert type events in DEMO mode:
Important
Make sure you use the demo parameter at the end of your query.
other.event_type: alert AND alert.incident_number: DEMO
Incident related events and alerts. You can access them clicking the Incident actions button and selecting View events and alerts.
You can hide the demo by clicking the Hide demo incident button on the upper right side of the Incidents page.
Tip
The filters section remains unchanged.
The Change status option from the grid in the Incidents page is not available for demo incidents. Clicking the button will not change the status of the incident.
Viewing #DEMO incident details
To display additional information regarding any specific incident, use one of the methods below:
Display the Incident details panel for the XDR incident: click anywhere on the row belonging to the #DEMO incident (except the ID, Resources, Entities, and Correlated incidents columns):
Display the Incident details panel for the EDR incident: click their ID under the Correlated incidents column.
Display the Incident Overview: click on its ID under the ID column. Incident information is listed in a rich card format, providing an overview of each incident, with information based on the selected filters.
Copy the link to the incident: hover your cursor to the right of the ID column and click on the Copy button when it appears.
When displaying details for a demo incident, you can see the Overview, graph and Response actions just like any other incident, however, you cannot perform any action on any of them.
Security Analysts can simulate a incident investigation workflow by using the change status, change priority, assign incident and add notes actions. Any changes made to the incident can be seen in the Incident History tab and are only saved while you are viewing it.
Investigating an Endpoint Incident
The Endpoint Incidents tab displays all suspicious incidents detected at endpoint level, that require investigation and upon which no action was taken yet.
In the Endpoint incidents tab, identify the security event you want to analyze from the incidents grid.
Use the View Graph button in the incident card to open the Incident graph in a new page, or
Select a security event card to open its details panel for a quick look at the most important attack indicators of that incident.
After opening the incident graph you can see sequence of events that led to triggering the incident, and provides options to take remediation actions.
By default, the graph highlights the Critical path of the incident, and the event that triggered the incident.
Start analyzing the information displayed in the details panel of the trigger node, to find what is the root cause of the incident.
In the panel you can find valuable info like the alerts detected on the trigger node, the date and time of the event, and command lines that were executed by the attacker.
If the situation allows it, select the Add to Sandbox button to detonate suspicious or malicious elements and see the Sandbox report to evaluate the damage they may have cause to your environment.
Tip
To make sure you did not miss anything, investigate the incident nodes on the same level as the trigger node.
You can continue to analyze the other elements constituting the critical path until you get a clear picture of what caused the incident.
If the threat is real take appropriate actions to mitigate it. Learn more about available actions in Node details.
If the threat is not real you can go to the Status menu at the top of the graph and set the status of the incident to False positive, and start investigating the next incident in the list.
Note
You can use the Notes clipboard to leave insights about the incident, to provide context in case other users reopen the incident.
When further investigation is needed, navigate to the Events tab to see all the raw events and alerts that were spawned as part of the incident under investigation.
Graph
The Graph provides an interactive graphical representation of the investigated incident and its context, highlighting the sequence of elements directly involved in triggering it, known as the Critical path of the incident, as well as all the other elements involved, faded out by default.
The Graph includes filtering options that allow the customization of the incident graphic to improve visualization, and details panels with more information about each element, to facilitate the investigation of what happened in your environment.
Critical path
The Critical path is the sequence of linked security events that have led up to setting off an alert, starting from the point of entry in the network down to the event node that triggered the incident.
The critical path of the incident is highlighted by default in the graph, along with all consisting event nodes. The trigger node easily stands out from the rest of the elements in the graph, and its info panel is displayed by default alongside the incident graph, providing detailed trigger node information.
Trigger Node
Node Details panel with collapsible information sections
Minimized nodes, indirectly involved in the incident
Tip
Selecting any other element than the trigger node will no longer highlight the critical path, and show the path to origin instead, from the selected node to the start of the incident.
Security event nodes
This is what you need to know about security event nodes:
Each node represents a specific element involved in the investigated incident.
All nodes that make the critical path are shown by default in detail when you open the incident, while the other elements are faded out, to avoid cluttering the view.
Hovering over a node that is not part of the critical path will highlight it and show the path to the point of origin, without breaking the Critical Path.
Three or more same action type event nodes spawning from a parent node are grouped into an expandable cluster-node.
Only nodes without child elements will be hidden from the incident graph when the cluster-node is collapsed.
Nodes where suspicious activity has been detected will not be added to the cluster-node.
Clicking a node will display the following details:
It will highlight in blue the path to the endpoint node along with all the other involved elements.
A side panel with expandable sections that provide detailed information of the selected node, alerts in case detections are triggered, available actions and recommendations.
Nodes are linked by arrow-lines indicating the course of actions that occurred on the endpoint during the incident. Each line is labeled with the action name and its chronological number.
The following elements of an incident can be represented as nodes:
Node type | Description |
---|---|
Endpoint | Displays endpoint details and patch management status. |
Domain | Shows information about the domain host and its endpoints. |
Process | Shows details about the process role in the current incident, file information, process executions details, network presence and further investigation options. |
File | Shows details about the file role in the current incident, file information, network presence and further investigation options. |
Registry | Displays Registry information and the parent process details. |
Note
Learn more about node details here.
Filters
The Filters menu provides you with enhanced filtering capabilities, allowing full manipulation of the incident graphic, by highlighting the elements based either on their type or relevance, or by hiding them to make the incident more compact and easier to analyze.
Click an hold the Drag icon to position the floating filters panel anywhere inside the incident graph.
When selecting an element-type filter:
The incident graphic zooms out and highlights all the elements of the selected type, while the elements of different type are faded out.
It instantly opens a panel with the list of all the highlighted elements.
Note
Selecting an element from the displayed list will highlight it in the incident graphic, and open a details panel with information related to that element.
Only one filter can be applied at a time.
Filtering options include:
Critical path: It highlights the critical path of the incident of compromise.
Endpoint: It highlights the endpoints affected by the incident.
Process: It highlights all process-type nodes involved in the incident.
File: It highlights file-type nodes involved in the incident.
Domain: It highlights all domain-type nodes involved in the incident.
Registry: It highlights all registry-type nodes involved in the incident.
Element relevance: You can also filter elements by their importance inside the incident.
Neutral node: Elements with no direct impact in the security incident.
Important node: Elements with relevant role in the security incident.
Origin node: Ground zero of the incident inside the network.
Suspicious node: Elements with suspicious behavior, directly involved in the security incident.
Malicious node: Elements that caused damage to your network.
You can also hide certain elements from the incident graph by clicking the Show/Hide button displayed when hovering over filters of the type: File, Domain, and Registry.
Hiding an element type redraws the incident graph by removing all corresponding elements, even if they are zoomed out, excepting the trigger node and nodes with child elements.
Navigator
The Navigator enables you to quickly move through the incident graph and explore all displayed elements by using the mini-map and the different levels of visualization. The Navigator is collapsed by default. When expanding it, the menu will display the miniaturized version of the entire incident map, and action buttons to adjust the level of visualization.
Click and hold the Drag icon to position the floating navigator panel anywhere inside the incident graph.
The Navigator makes it easy to adjust how you visualize the incident graph, through the use of the Fewer details and More details actions.
Note
In situations when the incident the graph expands beyond screen limits, hold and drag the map selector to the desired incident map area.
Node details
The Node details panel includes expandable sections with detailed information of the selected node, including preventive or remediation actions you can take to mitigate the incident, details on the type of detection and alerts detected on the node, network presence, process execution details, additional recommendations to manage the security event, or actions to further investigate the element.
To view this information and take actions within the panel, select a node within the security event map.
You can collapse the Node Details panel by clicking the Collapse button.
You can easily navigate the information displayed in the Node Details panel by clicking the icons pf each of the four major sections:
ALERTS. This section displays one or multiple detections triggered on the selected node, including details about the Bitdefender technology that included the element in the incident, the reason that triggered the detection, detection name, and the date when it has been detected.
INVESTIGATION. This section displays date stamps for the initial detection and all the endpoints where this element was spotted.
REMEDIATION. This section displays actions taken automatically by GravityZone, actions you can take immediately to mitigate the threat, as well as detailed recommendations for each alert detected on the selected node to assist you in mitigating the incident and increase the security level of your environment.
INFO. This section displays general information about each file, and specific information depending on the type of node selected.
You can drag the Node Details panel towards the center of the screen to easily go through its contents.
The Endpoint details panel includes two sections:
REMEDIATION. Displays info about the actions taken automatically by GravityZone to mitigate threats and actions you can take.
Note
The range of actions you can take may vary depending on the license included in your current plan.
Isolate Host - Use this remediation solution to isolate the endpoint from the network.
Install patches - Use this action to install a missing security patch on the target endpoint. This option is visible only with the Patch Management module, an add-on available with a separate license key. Refer to Patch Install for more information.
Remote Shell - Use this action to start a Remote shell session on the endpoint involved in the current incident and run investigative shell commands directly on its operating system, to mitigate the threat instantly or collect forensic data for further investigation.
Note
This option is only visible for customers with a license that includes the Remote Shell feature.
Collect Investigation Package - Use this action to start collecting forensic data from the endpoint.
DEVICE INFO. Displays general information about the affected endpoint, such as endpoint name, IP address, operating system, pertaining group, state, active policies, and a link that opens a new window where full endpoint details are displayed.
It also provides with information such as the number of installed patches, failed patches, or any missing security and non-security patches. In addition, you can generate an endpoint patch status report. This section is provided on demand for the target endpoint.
You can take the following actions within the panel:
View patch information for target endpoint. To view patch details, click the Refresh button.
View patch status report for target endpoint. To generate the report, click the View endpoint patch status report button.
The details panel for process nodes includes four sections:
ALERTS. Displays one or multiple detections triggered on the selected node, including details about the Bitdefender technology that included this entity in the incident, the reason that triggered the detection, detection name, and the date when it has been detected. The description for each alert follows the latest MITRE standards.
INVESTIGATION. Displays the date stamp for the initial detection and all the endpoints where this threat was spotted.
REMEDIATION. Displays info about the actions taken automatically by GravityZone to mitigate threats and actions you can take.
Note
The range of actions you can take may vary depending on the license included in your current plan.
Kill - Use this action to stop a process execution. This action creates a kill process task visible in the process execution bar.
System32
and Bitdefender processes are excluded from this action.Quarantine file - Use this action to store the item in question and prevent it from executing its payload. This action requires the Firewall module to be installed on the target endpoint.
Add file to Blocklist - Manage blocked items in the Blocklist page.
Add file as exception - Use this option to exclude legitimate activity on a specific policy. When you choose this action, a configuration window prompts you to select the policy where you want to add an exception. Manage exclusion under Policies > Antimalware > Settings.
This section also provides detailed recommendations for each alert detected on the selected node to assist you in mitigating the incident and increase the security level of your environment.
PROCESS INFO. Displays details about the selected process node, including process name, executed command line, user, time of execution, file origin and path, hash value, or digital signature.
In this section you can copy the item's hash value to clipboard by clicking the available hashing algorithms within the Hash field, and add it to Blocklist.
Note
For more information, refer to Blocklisting files.
The File node details panel includes four sections:
ALERTS. Displays one or multiple detections triggered on the selected node, including details about the Bitdefender technology that included this entity in the incident, the reason that triggered the detection, detection name, and the date when it has been detected. The description for each alert follows the latest MITRE standards. Each alert detected on the selected node provides detailed recommendations to assist you in mitigating the incident and increasing the security level of your environment.
INVESTIGATION. Displays date stamps for the initial detection and all the endpoints where this element was spotted.
REMEDIATION. Displays info about the actions taken automatically by GravityZone to mitigate threats and actions you can take.
Note
The range of actions you can take may vary depending on the license included in your current plan.
Quarantine file - Use this action to store the item in question and prevent it from executing its payload. This action requires the Firewall module to be installed on the target endpoint.
Add file to Blocklist - Manage blocked items in the Blocklist page.
Add file as exception - Use this option to exclude legitimate activity on a specific policy. When you choose this action, a configuration window prompts you to select the policy where you want to add an exception. Manage exclusion under Policies > Antimalware > Settings.
FILE INFO. Displays details about the selected file node, including file origin and path, hash value, or digital signature.
In this section you can copy the item's hash value to clipboard by clicking the available hashing algorithms within the Hash field, and add it to Blocklist.
Note
For more information, refer to Blocklisting files.
The Registry node details panel includes three sections:
ALERTS. Displays the severity of the registry manipulation as marked by the Bitdefender technology that included this entity in the incident, the reason that triggered the detection, the date when it has been detected, and registry type.
REMEDIATION. Displays info about the actions taken automatically by GravityZone.
Note
The REMEDIATION section for registry nodes does not provide any user action option.
REGISTRY INFO. Displays details about the selected registry node, including registry key, value and data.
You can click the registry key and value to copy it to clipboard for further analysis purposes.
Search bar
The Search bar has two functionalities:
Search nodes. Click and the search bar expands, allowing you to enter information and search the graph for particular nodes.
Incident trigger. A direct link to the node that triggered the alert.
Events
Use the Events tab to view how the sequence of events unfolded into triggering the currently investigated incident. This window displays the correlated system events and alerts detected by GravityZone technologies such as EDR, Network Attack Defense, Anomaly Detection, Advanced Anti-Exploit, or Windows Antimalware Scan Interface (AMSI).
Note
The availability of technologies involved in the detection process may differ depending on the the license included in your current plan.
Every event has a detailed description explaining what was detected and what might happen if the artifact is used for malicious purposes, in accordance with the latest MITRE techniques and tactics.
Use the filtering options to display all events, or group them by Att&ck tactics. You can also use the search bar to find events, after predefining their category. The grid is populated with the sorted events.
Select any event in the grid to open its side panel and analyze the major attack indicators, such as command line, network details, or other specific information.
EDR Response
The Response page provides default smart views that you can use to access actions that need immediate attention, pages that display actions that have a specific status, such as In Progress, Completed, or Dismissed, or a list of all Responses that are associated to a specific incident.
All actions are available in a dynamic grid formation with multiple filtering and sorting options, such as filtering by action type, object, target, status and more.
Multiple columns are available and contain the following information:
Type - The type of action being taken. Possible values:
Containment
Mitigation
Hardening
Action - The name of the action being taken.
Object - The name of the entity or resource on which the action is being taken.
Note
If the object is an endpoint, the name is a clickable link and will open the Endpoint Details panel.
Target - The type of entity on which an action is taken. Possible values:
Endpoint
File
Process
Registry
Details - Provides additional information related to the action being taken.
Executed on - The date when the action was triggered. If the action is the result of an automated response, the date when the endpoint reported it is displayed.
Executed by - Indicates who performed the action.
Source - Indicates where the action originated from.
Incident Info
This panel contains collapsible sections with details like incident ID, current state, time and date when the incident was created and last updated, number of involved artifacts, trigger name and description, and attack info.
Tip
From this section you can access the extended incident which may include the current endpoint incident.
The panel also includes the alerts detected on the element that triggered the incident.
Incident Status Bar
The incident status bar provides security event tags that can help you detect key information about the involved network endpoints.
Incident ID - the id number of the incident under investigation and if the incident is either blocked or reported.
Detection timestamp - the date and time the incident was triggered.
Status - the current incident status.
Assignee - the user that the incident is assigned to.
Priority - the priority of each incident.
Access icons and their description:
Notes clipboard
The Notes clipboard provides an easy way to add notes to incidents for tracking changes and incident ownership.
Displaying notes
To display a list of available notes click the Notes button on the right side of the Status bar:
Note
Alongside each note, the user name of it's creator will be displayed. If the user belongs to a partner company, the name Partner
will be displayed instead.
Adding a note
To add a note, follow the steps below:
Click the Add note button on the lower rights side of the clipboard.
Fill in the note information.
Note
Each note can contain up to of 2,048 characters.
Select Save.
Note
In case of bulk actions, a single note will be added in bulk for all incidents.
Editing a note
To edit a note, follow the steps below:
Select the Menu button on the right side of the note you wish to edit.
Select Edit.
Make the necessary modifications:
Note
Each note can contain up to of 2,048 characters.
Select Save.
Note
If you wish to cancel editing the note, click Cancel, then select Discard.
Deleting a note
To delete a note, follow the steps below:
Select the Menu button on the right side of the note you wish to delete.
Select Delete.
Note
This option is only available for your own notes.
Select Delete again.
History Clipboard
The History panel provides an easy way to track the history of an incident. The following events are tracked:
Status changes
Assigning or reassigning an incident
Setting or changing an incident's priority
Adding, editing, or deleting an incident note
Creating an incident
Updating an incident
The list is displayed in chronological order from newest at the bottom to oldest at the top:
Each event will contain the following information:
The type of the event
A description of the event
The date and time on which the event occurred
The username of the person who performed the action
Note
If the user belongs to a partner company, the name
Partner
will be displayed instead.
Remote Connection
Use this tab to establish a remote connection to the endpoint involved in the current incident and run a number of custom shell commands directly on its operating system, for canceling the threat instantly or collecting data for further investigation.
The Remote Connection tab contains the following items:
The name of the endpoint involved in the current security event.
The button controlling the remote connection (connect / disconnect).
The terminal window.
The version of Bitdefender agent installed on the endpoint supports the Remote Connection feature.
The endpoint must be powered on and online.
The endpoint must have Windows OS.
GravityZone is able to communicate with the endpoint.
Your GravityZone account must have manage permissions for the target endpoint.
Remote Shell
GravityZone provides interactive shell functionality that enables you to connect remotely to an endpoint involved in an incident under investigation and open a remote shell session to run shell commands directly on the endpoint's operating system, to either mitigate threats instantly or collect forensic data for further analysis.
This feature is compatible with the following operating systems:
Windows
Linux
MacOS
Important
This feature requires a separate license key for activation.
If you are using Bitdefender MDR, you will not be able to use Remote Shell due to incompatible service requirements.
Remote Shell session prerequisites
To start a remote shell session you have to meet the following criteria:
The target endpoint must be powered-on and online.
The GravityZone user account must have Manage Networks and Advanced investigation rights enabled. For more details, refer to User rights.
Users logging in with GravityZone credentials need to have two-factor authentication (2FA) enabled. Users logging in via single sign-on (SSO) integrations with 3rd parties do not require 2FA to access the feature.
For security reasons, the account of the user that attempts to start a remote shell session must belong to a company that meets the following criteria:
Company type: Customer
Company management: Not managed by an up-the-chain third party company. If the company is managed by above, the Remote Shell connection with endpoint option will not be available in the section.
Remote Shell connection with endpoint has to be enabled from . For more details, refer to Communication.
Note
Enabling the Remote Shell module on the endpoints in your environment may take a couple of minutes.
If you are using Bitdefender MDR, you will not be able to use Remote Shell due to incompatible service requirements.
Required licenses:
The company must have an active Remote Shell license.
The company must have an active EDR or XDR license.
If you do not have these required licenses, you can use the Remote Connection feature instead.
Remote Shell session limitations
The Remote Shell session has certain operational limitations:
A user can have only one active session on the same target endpoint.
A user can have up to five active sessions on different endpoints at the same time.
No more than five different users can connect to the same target endpoint at the same time.
An active sessions will be terminated automatically if its browser tab is out of focus for more than 10 minutes.
Starting a Remote Shell session
To open a remote shell session on an endpoint follow these steps:
In the Incidents page, select the incident you want to investigate and access the Graph view.
In the incident graph, select the endpoint node to expand the Endpoint details panel and click the Remote Shell button.
Note
If the button is inactive, a tooltip will be displayed, with the reason why the action is unavailable. For more details see Remote Shell session prerequisites.
Clicking Remote Shell button will open the Remote Shell Connection page in a new browser tab.
If you have 2FA enabled, follow these steps to start the remote session:
Enter the 2FA code generated from your authenticator app, to activate the Start session button.
Once active, click the Start session button to start the remote shell session on the target endpoint.
If you do not have 2FA enabled, follow these steps to start the remote session:
Click Start session.
You will be redirected to your organisation's login page.
Enter your domain username and password.
You will be redirected to GravityZone, where the remote session starts automatically.
Once the connection is established, you will be logged in as user with root privileges, capable to perform a wide array of forensic actions and methods to investigate suspicious behavior or mitigate threats.
All session logs are recorded and the entire output will be available for download at the end of the session.
Note
If the remote shell session is unexpectedly terminated, see XDR Remote Shell Troubleshooting for possible reasons.
Uploading files
Use this functionality to remotely upload files to another endpoint. To ensure the safety of your data, the files are encrypted in transit, at rest, and in use. You can upload no more than 20 files at a time, as long as the overall upload size does not exceed 256 MB.
To upload files using the Remote Shell functionality, follow these steps:
Start a remote shell session.
In the Remote Shell Connection window, click Upload.
This action opens the Upload files page.
In the Destination file path field, enter the file path to the local folder where the files will be stored. This must be a valid file path on the target endpoint. Make sure you have the necessary permissions to access the folder.
Note
The Remote Shell functionality does not support file paths to shared network drives.
To select the file you want to upload, click Browse, navigate to your file, and click Open.
Click Upload.
Wait until the Upload started. Do not end the remote session message disappears. Then you can close the page.
Downloading files
Use this functionality to remotely download files from another endpoint. To ensure the safety of your data, the files are encrypted in transit, at rest and in use.
You can download a file, or you can select a folder and download all contained files. The overall download size cannot exceed 256 MB.
To download files using the Remote Shell functionality, follow these steps:
Start a remote shell session.
In the Remote Shell Connection window, click Download.
This action opens the Download files page.
In the Download files from field, enter the path to the file or folder you want to download. If you select a folder, all contained files are added to an archive, and then downloaded.
Note
The Remote Shell functionality does not support file paths to shared network drives.
Optionally, you can protect the file archive with a password by enabling the Password protect the file archive option.
Enter the desired password in the provided fields.
Click Download.
You can retrieve the files in two different ways:
Wait for the files to download. Do not close the Download files page until you are notified that the download was successful. When the download is finished, you will receive a notification in the lower right side of the window.
Click Download to retrieve the archive.
Alternatively, you can close the Download files page and retrieve the archive from Network inventory. It is available in the Investigation Files Activity grid for 24 hours, after which the file is automatically removed from Bitdefender's temporary storage. For more information, refer to the section below.
Note
You may require a third party software to open the archive and extract the files.
Note that, for Linux endpoints, the download archives are symmetrically encrypted using a GPG tool.
Retrieving downloaded files from Network inventory
To retrieve files downloaded using the Remote Shell functionality, follow these steps:
Log in to GravityZone Control Center.
Go to the Network page from the left side menu and click the managed endpoint that contains the files you downloaded.
Go to the Investigation tab.
View the status of your request, along with other data gathering activities performed in the past 24 hours, in the Investigation Files Activity grid.
You can cancel download requests in Pending status. Requests that were canceled or could not be completed for various reasons have the status set to Failed.
When the download process has completed successfully, the action status changes to Finished and the archive with the collected files is available for download.
Click Download file in the Actions column to download the archive locally.
Note
You may require a third party software to open the archive and extract the files.
Ending a Remote Shell session
When done investigating, click the End session button to close the remote connection, or close the session's browser tab.
Note
If the Remote Shell session is unexpectedly terminated, see XDR Remote Shell Troubleshooting for possible reasons.
After ending the current session, you can click the Download audit log button to get the logs of the remote shell session you just ended, or you can start a new remote session.
When you click Download audit log, GravityZone will start compiling a zip file with all the session logs. This action may take a couple of minutes to complete, depending on the size of the archive. All session details are also available in the User activity log.
Note
The session's logs are saved by default in a raw format. For easier reading, unzip the file and use one of these tools:
For logs from Windows OS endpoints, run this command in PowerShell:
Get-Content <filePath> -Wait
(use the file path and name of the log file)Example:
Get-Content "C:\Users\Documents\sessionLogs.txt" -Wait
For logs from Linux and macOS endpoints, run this command in the terminal:
less <filePath>
(use the file path and name of the log file)Example:
less /home/user/sessionLogs.txt
When you click Start a new session, you will be required to go through the authentication steps again.
XDR Remote Shell Troubleshooting
Your Remote Shell session may drop unintentionally, due to various reasons. In most cases restarting the session is the easiest and quickest way to fix the issue. If this doesn't work you can always contact our Customer Support team, who will gladly assist you in all matters concerning the Bitdefender GravityZoneplatform.
Here is a list of error messages that the remote shell might display, possible reasons that may have caused it, and measure to mitigate them:
Forensic Data Gathering
Collecting extra information from endpoints affected by an incident is a labor intensive manual task which often disrupts the investigations efforts of a SOC team and generates delay in mitigating and containing threats. The Collect Investigation Package functionality speeds up the process of collecting forensic evidence from your environment by bypassing the need to directly interact with the endpoint involved in an incident.
This feature is compatible with the following operating systems:
Windows
Linux
Mac
Investigation package prerequisites
To start a the collection of forensic data from an endpoint you have to meet the following criteria:
Your company must have an active EDR or XDR license.
The GravityZone user account must have the Manage Networks right enabled. For more details, refer to User rights.
Users logging in with GravityZone credentials need to have two-factor authentication (2FA) enabled. Users logging in via single sign-on (SSO) integrations with 3rd parties do not require 2FA to access the feature.
The target endpoint must be powered on and online.
Collecting an investigation package
You can collect an investigation package using different approaches, based on your tasks, either by selecting an endpoint that is part of a XDR incident, or by selecting a managed endpoint from your Network inventory.
In the Incidents page, select from the grid the extended or endpoint incident you want to investigate further and open the Graph view.
In the Graph, select the node of the endpoint involved in the incident and click Collect Investigation Package to start compiling an archive with forensic data.
Note
If the button is inactive, a tooltip will be displayed, with the reason why the action is unavailable. For more details see Investigation package prerequisites
A toast message will inform you that the data collection request was successfully created.
Click the View available investigation files link to access the full endpoint details page and track its progress.
You can view the current collection process (the status of the activity in progress is set to Pending), along with other data gathering activities performed in the past 24 hours.
Note
Collection activities that were canceled by user or could not be completed for various reasons have the status set to Failed .
When the data collection process has completed successfully, the action status changes to Finished, and the archive with collected forensic artifacts is available for download.
Click Download file in the Actions column to download the archive locally and analyze the collected data.
Note
To find out more details about the type of data collected as part of an investigation package see Investigation Package data.
In the Network page, select the managed endpoint you want to collect forensic data from and open its details page.
Go to the Investigation tab, and click Collect Investigation Package to start compiling an archive with forensic data.
Note
If the button is inactive, a tooltip will be displayed, with the reason why the action is unavailable. For more details see Investigation package prerequisites
A toast message will inform you that the data collection request was successfully created.
You can track its progress in the Investigation Files Activity grid.
You can view the current collection process (the status of the activity in progress is set to Pending), along with other data gathering activities performed in the past 24 hours.
Note
Collection activities that were canceled by user or could not be completed for various reasons have the status set to Failed .
When the data collection process has completed successfully, the action status changes to Finished, and the archive with collected forensic artifacts is available for download.
Click Download file in the Actions column to download the archive locally and analyze the collected data.
Note
To find out more details about the type of data collected as part of an investigation package see Investigation Package data.
Searching security events
The Search page allows you to browse for past security events by using complex search criteria. You can choose which events GravityZone processes by going to Configuration > Raw Events.
In the search bar you can build queries using the available suggested fields and the rules available in the The XDR query language.
All the results are displayed in a customizable grid where you can choose to show or hide categories according to your needs, using the Show / Hide button.
Note
The grid keeps your results until the end of your session, or until you run a new search.
Running queries
To run a query:
Type the query string in the search bar. Suggestions for field names, values and operators appear as you type.
For suggestions regarding field names, open the Helper by pressing CTRL + /.
For suggestions regarding values, open the Autocomplete by pressing CTRL + Space.
Tip
For help regarding fields available or syntax, use the Syntax Help. You can also use nested queries to build complex searches.
Set up the time frame using the Date field.
Define the search time frame:
To select specific dates, use the Custom option, then select the start and end dates from the calendar.
Set an exact time interval by using the From and To tabs above the calendar.
Select a recent time interval from the available options: Last 24 hours , Last 7 days , Last 30 days .
Important
The default data retention interval for events is 90 days. If you want to increase your capacity, contact your sales representative to upgrade your solution with a 180 or 365-days data retention add-on.
Select Confirm .
Select Run query.
Important
Control Center can display up to 10,000 events.
If the query results contain more than 10,000 events, a message will pop up, in which case you need to refine your search.
Refining your search
If the initial query returned too many results, you can optimize your search criteria. You can manually add information in the search query or you can use the Details panel. To refine your search using the panel, follow these steps:
Select any event in the Grid to open the Details panel.
Click the search icon at the end of the field you want to add to the query.
Note
The JSON tab is displayed for EDR and XDRalerts. You can easily identify these alerts by using the following key-value pairs:
other.event_type: alert
for EDR alertsother.event_type: xalert
for XDR alerts
The JSON tab contains further information related to that specific alert. You cannot use the key-value pairs in this tab to further refine your search, but you can copy all data by using the Copy all to clipboard button. For a list of all JSON fields, refer to JSON fields.
Select the necessary operator.
The field-value pair will be added to your search query.
Select Run query.
Smart views
The Search feature offers the ability to save queries for later use.
You can also edit or delete previously saved queries.
Saving queries
Run the desired query.
Click the Save As button in the upper-right corner of the page.
The following dialog box is displayed:
Name your query and click Save.
Your query will be displayed in the Smart views panel, on the left side of the search grid.
Editing saved queries
Select the query from the Smart views list.
The query will be displayed in the search bar.
Make the necessary changes to your query.
Click the Save button in the upper-right corner of the page.
Deleting saved queries
In the Smart views list, click the vertical ellipses next to the query you want to delete.
Select Delete and confirm your choice.
Live Search
Overview
With Live Search you can retrieve information about events and system statistics directly from online endpoints using Osquery, an operating system instrumentation framework that uses the SQLite query language.
Note
For more information on Osquery, check the official documentation following the links below:
Activating Live Search on your endpoints
For the feature to be available on a specific endpoint, the policy applied to it needs to have the module activated. To activate Live Search for a specific policy follow these steps:
Log in to GravityZone Control Center.
Go to the Policies page from the left side menu and select the policy you want to edit.
Go to the Live Search section.
Select the Live Search option to enable the feature for all endpoints the policy is applied to.
System requirements
Live Search is supported only on 64-bit operating systems.
Minimum BEST version required:
Windows: 7.6.1.202
Linux: 7.0.3-2085
MacOS: 7.8.16.200024
Permissions
To access the Live Search feature and perform queries on endpoints, you need to have the following permissions:
Manage Networks
Advanced investigation
Additionally, you need to have access to the entire Network tree through the designated targets. Partner type accounts are able to query endpoints from companies bellow them, if those companies allowed their partner to assist with managing their network.
Using Live Search
You can access the feature by going to Incidents > Search and selected the Live tab.
The page contains the following elements:
Queries panel, comprised of:
Search option - you can use this to search by title.
Recent- displays the last 25 queries that were performed.
Saved- a list of all the queries that have been saved for this user.
Predefined- a list of queries that are available by default for all customers.
Featured - a set of predefined queries selected by our security analysts.
Filters section, comprised of:
Company - perform a query on endpoints from a specific company.
OS - perform a query on specific endpoints based on their operating system.
Tags - perform a query on specific endpoints based on their GravityZone tags.
Endpoint name - perform a query on specific endpoints from a company.
Save - save changes to current query.
Save as - used when creating a new query.
Discard changes - revert the query to the last saved state. This option becomes available if the query or the filters are different from the saved state.
Reset filters - revert all changes applied to the filters. This option becomes active if one or more filter values are changed.
Download icon - used to download the query results as a .CSV file.
Info icon - displays the Tables side panel.
Clear - removes all text from the input field
Run query - run the current selected query.
Query text - write your query.
Query results - the results of the performed query.
Resize button - use this to adjust the size of the search section.
Page numbering and items displayed per page
Refresh button
Metadata details - provides additional details on the level of success of the query run. This section will always be displayed at the bottom, even if no results are present.
Create a new query
You can create a new query by using one of the methods below:
By typing in the query instructions
When first displaying the Live tab after logging in to GravityZone, a blank query will be displayed by default.
Type in the query instructions.
Select the Save button on the upper right side of the screen.
Type in a name for the new query.
Select Save.
The query is now displayed under Saved queries.
By editing an already existing query
Select the query you want to modify.
Change the instructions assigned to the query.
Select the Save as button on the upper right side of the screen.
Type in a name for the new query.
Select Save.
The query is now displayed under Saved queries.
Run a query
To run a query follow the steps below:
Locate and click the query you want to run on the left side of the screen, under Saved queries.
Select Run query.
Depending on the complexity of the query and the size of your network, it may take a few minutes to return all of the results. For the duration of the data gathering, the message In progress and a timer is displayed and the Run query button is disabled until all data is gathered.
Note
Query results will be gathered from each endpoint for a maximum of 2 minutes, after which they will be timed out and no more results will be gathered. If all endpoints respond with valid data before the the time-out, the query will be completed sooner. The Run Query button and the Metadata section will not be available while the query is running.
Results are returned depending on your query:
Only the first results are automatically displayed. The grid will automatically check for new results every 5 seconds until the query run completes. To manually refresh the results, you can use the Refresh button. When refreshing the results grid, the Metadata will also refresh.
The query results are available for 30 minutes. Once the time has passed, the results are deleted. A timer is available between the query instructions and the query results.
Note
You can use the button on the upper right side of the screen to download the query results as a .CSV file.
Reading Metadata details
This section is collapsed by default, and contains the following data:
Status - the status of the query:
In progress - query is currently running.
Finalized - the query has been completed.
N/A - no query has been ran or the results have expired.
Respondents - the number of endpoints that have responded to the query.
Total endpoints - the number of endpoints that have been queried.
When expanded, the following information is displayed:
Query name - Metadata details is always accompanied by the query name.
Assign tags button
A filter section comprised of:
Status filter:
All
Timed out
Successful
Error
Failed to connect
Sent rows filter:
All
No results
Results available
Endpoint - the endpoint name.
Query execution time - the time the query ran on this endpoint (milliseconds).
Available rows - the total number of rows returned by the query for this endpoint.
Sent rows - the number of rows that have been included in the results.
Status - the status of the query for this specific endpoint.
Error message - the error message returned by the endpoint when queried.
Note
The information listed in the Metadata is only kept for 24 hours. You can use the button on the upper right side of the screen to download the query results as a .CSV file.
Edit a query
To edit a query follow the steps below:
Select the query you want to modify.
Change the syntax of the query.
Select the Save button on the upper right side of the screen.
Note
Predefined queries can not be modified. Use the Save as button to create a new query.
Click Save.
The modifications to the query have been saved.
Delete a query
To delete a query follow the steps below:
Locate the query on the left side of the screen, under Saved queries.
Click the vertical ellipsis button for the query you want to remove.
Select Delete.
Rename a query
To rename a query follow the steps below:
Locate the query on the left side of the screen, under Saved queries.
Click the vertical ellipsis button for the query you want to rename.
Select Rename.
Type in the new name for the query.
Click the OK button.
Tables panel
You can inspect the database schema and search for available tables and fields using the Tables side panel.
This section is accessed from the info icon located at the upper right side of the query text box.
The panel contains the following elements:
Learn more - link directs you to the available documentation.
Search field - search tables or columns using full or partial name.
All platforms filter:
All platforms
macOS
Linux
Windows
The number of items displayed.
The results found - multiple tables which can be collapsed to show the table content
Query results limitations
The following limitations apply to all query results:
Queries return a maximum of 50 000 rows per run.
Queries return a maximum of 1000 rows for each endpoint per run.
Individual endpoint row results are not redistributed to other endpoint results that have not reached their row count limit.
Live Search does not support Osquery evented tables.
Queries on individual endpoints will automatically time out after 30 seconds. This does not include the time for processing the results.
Eligibility
The feature is available to any cloud company that is licensed for GravityZone Business Security Enterprise or the A-la-carteEDR Cloud.
Submitting feedback
You can submit feedback by sending an email to [email protected].
The XDR query language
The query language provides the vocabulary (fields and operators) and the syntax to help you build queries.
To access information about syntax from inside the platform click the icon inside the search bar.