The Incident Details Report contains the latest information about a specific incident, its detection history, related events, and user-generated comments. This report is similar to the information that appears on the Symantec Endpoint Detection and Response Incident Details page.
The Incident Details Report is available in PDF format. You can run the report on-demand, or you can create a schedule to run it at regular intervals. When you run or schedule the report, you can specify recipients to whom you want it emailed. Users can also download them.
The following tables describe the information that you'll find in each section of the Incident Details report.
The incident number followed by a brief description.
You can click the incident number to navigate to the Incident Details page in the Symantec EDR console.
Symantec EDR's recommendation on how to remediate this incident.
The assigned priority based on Symantec EDR's evaluation of the incident's severity:
High - Classified as malicious with high confidence, which can result in outages and loss of data. These incidents need to be responded to immediately.
Medium - Classified as low-risk, such as unblocked adware. These incidents may have an impact on your organization and the infected endpoint(s).
Low - Classified as not serious at this time. These incidents do not affect critical business operations, and the affected endpoint(s) can function as normal.
Whether Symantec EDR deems the incident to be a suspected security breach. These incidents can include any of the following types of incident rules: Targeted Attack Incident, Targeted Email Attack Incident, Targeted Attack Analytics Incident, or Dynamic Adversary Intelligence-related incidents.
The number of endpoints in your environment that this incident affects.
The Symantec EDR scanner that detected this incident.
If multiple scanners detected the incident, the number of scanners appears.
If the incident was generated from a threat that an EDR: Roaming event detected, Roaming appears.