Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Incident triage and assignment

Security Architecture Team

  1. In the Defender XDR portal’s leftmost pane, go to Investigation & response > Incidents & alerts > Incidents.

  2. At the top of the table, select Reset all to clear any filters.

    0pa5uigk.jpg

  3. Select any empty space on the line for ‘EICAR_Test_File’ malware was prevented.

    This will open a flyout pane.

  4. At the top of the flyout pane, select Manage incident.

  5. Update the following details:

    Item Value
    Severity High
    Incident tags Malware (Create new)
    Assign to analyst1@@lab.Variable(userDomain)
    Classification True positive - Malware
    Status Resolved

  6. In the text box below Resolved, enter:

     Incident automatically resolved. Worth having a look at it. Eng for containment support

  7. Select Save.

    3s0z34iy.jpg

Security Engineering and Administration

  1. In the Defender XDR portal’s leftmost pane, go to Investigation & response > Incidents & alerts > Incidents.

  2. At the top of the table, select Reset all to clear any filters.

    0pa5uigk.jpg

  3. In the table, select the text for ‘EICAR_Test_File’ malware was prevented.

    dzvxcu49.jpg

    This will open its incident page and display the Attack story.

  4. Review impacted assets, entities, and all active alerts related to the incident.

  5. Select the Evidence and Response tab to review remediation evidence.

  6. In the upper-right corner of the page, you can select Tasks to add a task for the SOC Analyst to perform additional investigation.

    x97xvr24.jpg

SOC Analyst

  1. In the Defender XDR portal’s leftmost pane, go to Investigation & response > Incidents & alerts > Incidents.

  2. At the top of the table, select Reset all to clear any filters.

    0pa5uigk.jpg

  3. In the table, select the text for ‘EICAR_Test_File’ malware was prevented.

    dzvxcu49.jpg

    This will open its incident page and display the Attack story.

  4. Near the top of the page, select the Summary tab.

    Depending on window size, you may need to select the ellipsis to see the option.

    vkzfv8do.jpg

  5. Under the Alerts tile, select View alerts.

    8jxqaxju.jpg

  6. In the flyout pane, select the name of the alert.

    tjhtzy4u.jpg

    This will open a new page.

  7. In the rightmost pane, select the Recommendations tab and review the contents.

    o6nld2fx.jpg

  8. Near the upper-left corner of the page, select View incident page to go back.

    k6uj5qmn.jpg