- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Automated Incident Enrichment Turnkey Playbook
Gather evidence from an Advanced Analytics session and add them to the corresponding Case Manager incident with the Automated Incident Enrichment turnkey playbook.
When an Advanced Analytics Smart Timeline™ user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Enrichment turnkey playbook gathers additional contextual or supporting information from the Advanced Analytics session and populates the Case Manager incident so you have everything you need to investigate the incident.
First, the playbook returns the session's anomalous activity, and gathers evidence to add to the Case Manager incident:
The playbook returns the MITRE ATT&CK® tactics and techniques rule tags associated with the session. View the output in the workbench under GET RULE LABELS – EXABEAM AA DEFAULT.
The playbook gathers all the rules triggered during the notable session and other related details, like the rule description, rule category, and associated model name. View the output in the workbench under GET TRIGGERED RULES – EXABEAM AA DEFAULT.
The playbook gathers other relevant evidence about the event, including event type, event ID, raw log time, and details about any processes, files, domains, hosts, URLs, or email addresses involved. View the output in the workbench under GET EVENT INFO – EXABEAM AA DEFAULT.
Then, it adds this evidence to the incident in incident fields, or as entities or artifacts. For example, it adds the destination IP to the incident as an IP artifact. In the workbench, view the information and whether an entity or artifact was created under ADD TO INCIDENT – INTERNAL.
If the incident involves a notable user, the playbook returns the user's past anomalous behavior, including their risk score for every session in the past 14 days and all the rules triggered in the user's sessions in the past 14 days. Then, it collects any additional contextual information about the user and searches for other Case Manager incidents involving the user. View the output in the workbench, including:
Risk score for each session in the past 14 days, under GET USER RISK SCORE – EXABEAM AA DEFAULT.
All rules triggered in the user's sessions in the past 14 days, under GET TRIGGERED RULES – EXABEAM AA DEFAULT.
Additional contextual information about the user, under GET USER INFORMATION – EXABEAM AA DEFAULT.
Other Case Manager incidents involving the notable user in the past 14 days, under SEARCH IR INCIDENTS WITH IOC.
If the incident involves a notable asset, the playbook returns the asset's past anomalous behavior, including their risk score for every session in the past 14 days and all the rules triggered in the asset's sessions in the past 14 days. Then, it collects any additional contextual information about the asset and searches for other Case Manager incidents involving the asset. View the output in the workbench, including:
Risk score for each session in the past 14 days, under GET ASSET RISK SCORE – EXABEAM AA DEFAULT
All rules triggered in the asset's sessions in the past 14 days, under GET ASSET TRIGGERED RULES – EXABEAM AA DEFAULT.
Additional contextual information about the asset, under GET ASSET INFORMATION – EXABEAM AA DEFAULT.
Other Case Manager incidents involving the same notable asset in the past 14 days, under SEARCH IR INCIDENTS WITH IOC.