Viewing detailed information about an Incident

The Incident details page provides in-depth information about an incident. You can also perform actions on entities from this page.
  1. To access the Incident details page
  2. On the left navigation pane, click
    Incident Manager
    tab appears by default.
  3. Click on any incident ID to open its Incident details page.
A unique incident number is assigned to the incident. A brief description of the incident follows the incident number. Beneath the description is Symantec's recommended actions for how to address this incident.
The overview also provides the following information about the incident:
The priority that is assigned to this incident is based on
Symantec Endpoint Detection and Response
's evaluation of the severity of the incident.
Incidents that consist of the events that Symantec knows are part of a targeted attack are prioritized higher than incidents without such events. Incidents with a high number of events are prioritized higher than incidents with fewer events. Incidents with the events that occurred more recently are prioritized higher than older incidents.
The priorities are as follows:
  • High -
    Symantec EDR
    detected a threat that Symantec classifies as malicious. The threat was not blocked, possibly because the device operates in Tap mode. High priority incidents can result in outages, loss of data, or have a severe effect on the organization and needs to be responded to immediately.
  • Medium - The appliance detected a low-risk threat, such as unblocked adware. Medium priority incidents may have an effect on the organization and the system in question.
  • Low - The incident is not deemed to be a serious threat at this time. Low-priority incidents do not affect critical business operations. Systems can continue to function as normal.
Symantec EDR
deems the incident to be a suspected security breach. These incidents can include any of the following types of incident rules: Targeted Attack Incident, Targeted Email Attack Incident, Targeted Attack Analytics Incident, or Dynamic Adversary Intelligence-related incidents.
The number of endpoints in your environment that this incident affects.
Symantec EDR
scanner that detected this incident.
If multiple scanners detected the incident, the number of scanners appears. Hover over this field to view the names of all of the scanners that detected this incident.
The number of events that comprise this incident.
See the Events tab for a list of all of the events that comprise this incident.
The current status of the incident.
  • Open - The incident is deemed to be a threat and has not yet been remediated.
  • Closed - The incident is remediated or deemed not to be a threat and has been closed.
The date and time that
Symantec EDR
detected the first event in this incident.
The date and time that
Symantec EDR
detected the latest event in this incident.
The date the last event comprising the incident occurred.
Incident graph
The Incident graph is a visual display of the information that is found in the table below it. The Incident graph depicts entities' relationships to one another — it is not a causal depiction. The circular elements on Incident graph are referred to as nodes.
Understanding the Incident graph:
  • The primary node initially appears in the center of the Incident graph.
  • Nodes that are related to the incident appear slightly smaller than the primary node and a solid line connects them.
  • Expansions of a node that are not connected to the incident are indicated with dashed lines.
Working with the Incident graph:
  • Hover over a node to view details about it. For example, hovering over the domain entity node reveals the entity's domain name or IP address.
  • Right-click on a node to view a menu that lets you perform the tasks that are associated to that entity.
  • You can move around the Incident graph using the navigation keys. Or you can use your mouse wheel to expand or shrink the Incident graph view.
  • Use your mouse pointer to move and rearrange the nodes. Double-click on any node to bring that node to the center of the Incident graph.
  • Click on the center of the mouse wheel to re-center the Incident graph with the primary node in the center.
If you refresh the page or go to another page and return, the Incident graph returns to its original state.
Full Dump
Lets you retrieve endpoint activity recorder information for the endpoint(s) that you specify.
This action only appears for the endpoints that are enrolled with
and have endpoint activity recorder enabled.
Process Dump
Lets you retrieve endpoint activity recorder information for the file | endpoint process for the file hash and endpoint(s) that you specify.
This action only appears for the endpoints that are enrolled with
and have endpoint activity recorder enabled.
Add to Deny List
Adds the item to the
Symantec EDR
deny list deny list policy. You can add IP addresses, domains, URLs, and SHA256 file hashes.
Add to Allow List
Adds the item to the
Symantec EDR
allow list policy. You can add IP addresses, domains, URLs, and SHA256 file hashes.
Rejoins an isolated endpoint to the network.
Supported only for
12.1 RU6 and later.
Isolates (quarantines) an endpoint.
Supported only for
12.1 RU6 and later.
Delete File
Deletes a file from the endpoint.
This action is supported for enrolled as well as non-enrolled clients
12.x RU6 MP3 and later. For enrolled clients running
14.0 RU1 and later, this task is performed through
2.0 directly from
Symantec EDR
to the client without the need to wait for the
heartbeat. For enrolled the clients that run
1.0, this option remains active until the file is deleted from the endpoint through
. Then the option becomes inert for that file.
The ability to cancel a delete file action is supported on SEP 12.1 RU6 MP5 and later and can only be performed using the API. Canceling the delete file action also includes canceling the deletion of associated registry entries.
Lets you add a comment with a maximum of 512 characters.
Extended ASCII characters do not render properly in .csv format.
This option only appears if the incident is open.
Marks the incident as closed.
Closing an incident does not delete it. When you close an incident, you must specify the outcome. Optionally, you can add comments.
When you select an action, a dialog box appears that lists all the entities that you can perform that action on. Unselect any entities in the dialog box that you don't want to perform this action on.
Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in the
EDR appliance console
as inactive.
Process Lineage
Process Lineage
tab shows the chronological order of parent lineage. Process lineage information is limited to Advanced Attack Techniques (AAT), and Targeted Attack Analytics (TAA) related incidents. This tab shows the origin of attack and the other processes that are associated with the attack.
You must configure the endpoint activity recorder to send
Symantec EDR
Process launch activity
Symantec EDR
to retrieve process lineage events.
parent lineage
is the set of processes that led to the triggering event. The
triggering event
is the process event that prompted
Symantec EDR
to create an incident. There can be more than one triggering event in an incident.
When multiple lineages exist within an incident, the Events Summary view includes events from all of the lineages by default. Multiple triggering events are initially present. To view a specific lineage, filter the Events Summary view by the lineage_id.
To export the events that appear in the Events Summary view in .csv format, beside the
drop-down arrow, click
Click the following link to learn more about adding filters, performing searches, and other important information about how to work in the Events Summary view.
The Events Summary view lists all of the events that contributed to the incident and each event's associated data. Click the following link to learn more about using the Events Summary view.
The Intelligence tab displays information about the adversary that is associated with the incident. This tab is only available for the incidents that
Symantec EDR
created when it imported data from the Dynamic Adversary Intelligence feed (DAI).
This information includes the following:
Adversary Intelligence
  • Adversary Name
    The name of the adversary conducting the targeted attack.
  • Executive Summary
    A high-level summary of the adversary's activities.
  • Aliases
    Other names by which the adversary is known.
  • Attack Vectors
    The method by which the adversary gained access to its targeted victims (for example, email, watering hole, data storage device).
  • CVEs Used
    A list of public CVE (Common Vulnerability and Exposure) values used by the adversary.
  • Malware Families Used
    The malware families that the adversary used in its targeted attack.
  • First Seen
    The date that Symantec first detect the adversary.
  • Adversary Motivations
    The analyst's assessment of what the adversary's motivation may be (for example, intelligence, financial, disruption).
  • Adversary Locations
    The country or countries in which analysts believe that the adversary operates.
Third-party online publications (such as white papers, articles, blogs, etc.) pertaining to the adversary.
  • Date
    The date the reference was published.
  • Source URL
    The URL of the reference.
  • Description
    The title of the reference.
  • Summary
    A short summary of the reference.
This section also provides the following comment:
The following information is provided for reference purposes only. Using the URL may direct you to a third-party website that Symantec does not own or control. Symantec does not endorse, and is not responsible for, any content that is contained on third-party websites.
Indicators of Compromise - File
The SHA256 hash and malware name of the malicious file(s) used by the adversary.
Indicators of Compromise - Network
The title, URL, IP address, malware name, and date and time first seen of the malicious site that the adversary used.
If you have an endpoint under a workgroup with a name that exceeds 15 characters, the host name is reported twice: once with a short host name of 15 characters; the other with the full host name exceeding 15 characters. So the same endpoint may appear twice — once for each reported host name. This issue is a result of NetBIOS restrictions. Click the following link for more information: