- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Automated Incident Classification Turnkey Playbook
Classify Behavior Analytics incidents into the correct incident type with the Automated Incident Classification turnkey playbook.
When an Advanced Analytics user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Classification turnkey playbook analyzes session to accurately change the incident's type, helping you make sense of all the evidence in Advanced Analytics and quickly diagnose what threat you're investigating. It's important that incidents have the correct incident type so you standardize the evidence you collect and define tasks for investigating, containing, and remediating the incident.
First, the playbook retrieves the Exabeam Threat Detection, Investigation, and Response (TDIR) Use Case Categories rule tags associated with session's triggered rules. View the output in the workbench, under GET RULE LABELS – EXABEAM AA DEFAULT.
Depending on the rule tag, the playbook adds an incident type.
If the session is associated with any of these rule tags: | The playbook adds this incident type to the incident: |
|---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
Audit Log Manipulation | |
Data Deletion | |
Access to Physical Space | |
| |
Abnormal User Activity | |
Brute Force Attack | |
Cryptomining | |
Malware | |
Phishing | |
Ransomware |
View which incident type was added in the workbench, under MODIFY INCIDENT TYPE – INTERNAL or under the Incident Type incident field.