The On-Demand Incident feature enables analysts and threat hunters to create a case on non-entity attributes and attach events to a new or existing incident directly from Spotter, even when a policy has not been violated. This on-demand functionality gives analysts and threat hunters more control over their investigations, as they are provided with greater flexibility during the incident creation. Analysts and threat hunters can also manage activity from the Incident Management dashboard to better manage emerging threats that may have previously gone unnoticed.
When an analyst needs to create an incident, they can simply click the new On-Demand Incident icon, which is placed at the top of every screen in the SNYPR UI. The On-Demand Incident icon opens an Incidents panel, which provides a consolidated list of existing incidents in one location. This list also includes multiple features that make it easy to find the information you need, including:
- Incident Name: Each incident includes a specific name that helps to quickly identify the incident and focus the investigation on the most important threats in their environment.
- Incident ID: Each incident is assigned a unique number that is used to track the incident. Click the Incident ID to view the incident management details for the selected incident.
- Attachment icon: You can click this icon to attach important files to the incident.
- Comments icon: This icon is used to provide additional information about the incident to help communicate analysis.
Unlike incidents created on policy violations, this feature allows you to create incidents on one or more non-entity attributes and attach events from threat hunting/investigation as artifacts.
Note: Risk scores are not included when you create an incident from the Incidents panel. This is because the Incidents panel creates an incident using events rather than on an entity.
To create an incident, click Create new On-Demand New Incident. Two sections display that allow you to add incident details and incident configurations. The incident name and description that you specify in this section will appear on the incidents list, so make sure you create a name and description that will best help you identify this case later on.
You can also add events to a new or existing incident from the Spotter Search Results view.
- Add Selected Events to Incident: Allows you to specify which events you want to add to an existing incident. You can add the same set of events to multiple incidents.
Add All events to incident: Allows you to add all the events from a Spotter query to an incident.
When you select the Add All events to incident option, you will see an Events icon (highlighted in the following image), which allows you to attach up to 1,000 of the most recent events to the incident. To add up to 1,000 of the most recent events to an incident, click Add.
To add all your generated events found in the Spotter query, you must generate the Spotter report, download the attachment, then include the attachment as an artifact to the existing case.
Note: You can include results from multiple entities and datasources from the same tenant.
When you create an incident, you can access the incident details by clicking the Incident ID from the incidents list.
You are directed to the Incident Management screen. From this screen, you will see a new default view that includes the incident name and incident description, as seen in the following:
The Incident Management screen also enables you to group incidents together. To view incidents, click the Group By icon and select On-Demand Incident.
Additionally, when you add events to an existing incident from Spotter, an Events tab displays, as seen in the following image. The Events tab shows contextual information about all events that were added to an existing case.