The Incidents Over Time histogram lets you view the number of incidents that occurred over a set period of time. Hover your mouse over a data point in the histogram to see the number of incidents that occurred on that day. The number of incidents is based on the initial creation date of the incident - not when the incident was last updated.
To change the histogram time frame, under Incidents Over Time, select a pre-set time range (7d, 1m, 3m, All).
Hover over data points in the histogram to reveal how many incidents were detected on that date.
Tip: Check specific days and the times that convictions occur. If malicious activity is detected at very regular intervals, it is possible that malware is responsible for the downloads or server communications. If malicious activities happen at irregular intervals during normal workdays, it is more likely that humans are the cause.
The following are the tasks that you can perform in the Incident table:
To apply filters
Click Show Filters to reveal the available filters. Select the filters that you want to use. Unselect the filters that you want removed. Click Hide Filters to hide the filters view.
The available filters are as follows:
The date that the incident was most recently updated.
ATP's assessment of the severity level of the incident.
The number of endpoints that the incident affects.
Whether the incident is opened or closed.
Whether ATP deems the incident to be a suspected security breach.
If Yes filter is selected, then all of the incidents that are associated with the breach appear. These incidents can include any of the following types of incident rules: Targeted Attack Incident, Targeted Email Attack Incident, Targeted Attack Analytics Incident, or Dynamic Adversary Intelligence-related incidents.
To perform a search
In the search box under the histogram, type your search criteria in the following format:
ATP supports the following search criteria:
For example, assume that you want to search for incident 100004, you would type:
ATP Manager auto-discovers the search criteria as you begin to type. Click on a matching criteria to populate the search field.
To go to the Incident details page
You can view the events that make up the incident and take remediation from the Incident details page.
Click on the ID for the incident that you want to learn more about.
To export incidents
You can export search results in .csv format and view reports on the Reports > Exports Report page or obtain a copy by email. The report contains the same columns that appear in ATP Manager and duplicates the ATP Manager column sorting.
Click the drop-down arrow to the far right on the Incident Manager table header, and click Export.
Type a name for your report.
In the confirmation dialog box, click Ok.
Access the exported report on the Reports > Exports Report page.
You can configure ATP Manager to show only the columns that you want to see.
Click the drop-down arrow to the far right on the Incident Manager table header, and click Customize Columns.
Select the columns that you want to appear by sliding the radio button to the right (green). Slide the radio option to the left (gray) to hide columns.
To sort columns
Hover over the column heading that you want to sort.
An arrow appears to the right of the heading.
Click the arrow to sort the column.
The up arrow indicates the column's contents are sorted in descending order. The down arrow indicates the column's contents are sorted in ascending order.
To add comments about an incident
For the incident in which you want to make a comment, click on the Comments field.
You may need to scroll to the right side of the screen if the Comments field doesn't appear.
Type your comment in the New Comment box.
Extended ASCII characters do not render properly in .csv format.
Click Add Comments.
The Incident Manager table provides the following information:
A unique number that is assigned to the incident.
The reason that the collection of events is considered an incident.
For example, ATP may report a new incident because there are repeated events from the same external IP address. It may report a new incident because there are repeated detections for the same internal IP address. Or it may report a new incident because multiple endpoints downloaded the same malicious file.
The date and time (in UTC) that the latest event occurred for this incident.
The priority of the incident is determined based on Symantec's analysis of the severity of the incident.
The priority can be one of the following:
High - ATP detected a threat that Symantec classifies as malicious with high confidence. The threat was not blocked, possibly because the device operates in Tap mode. High priority incidents can result in outages, loss of data, or have a severe effect on the organization and needs to be responded to immediately.
Medium - The appliance detected a low-risk threat, such as unblocked adware. Medium priority incidents may have an effect on the organization and the system in question.
Low - The incident is not deemed to be a serious threat at this time. Low-priority incidents do not affect critical business operations. Systems can continue to function as normal.
Shows the number of endpoints that are affected for the incident.
The field shows the current status of the incident:
Open - The incident is deemed to be a threat and has not been remediated.
Closed - The incident is remediated or deemed not to be a threat and has been closed.
Tip: If you have returned to this page after having just closed an incident on the Incident Details page, you might have to refresh your browser for the incident to appear as closed.
Shows the most recent comment that were made about the incident. Click on the comment to see the history of all of the comments that were made for the incident and to add a new comment.
Indicates the network scanner that detected the incident.
Indicates whether ATP determined that this incident is part of a targeted attack.