Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Incidents Management
  3. Incidents tab

Category filter

How to Master XDR Incident Management & Threat Remediation?

Hexnode XDR (Extended Detection and Response) is a security architecture that integrates threat detection across all managed endpoints. It centralizes security events into the Incidents tab, allowing administrators to transition from detection to remediation within a single console.

1. Threats vs. Alerts: The Fundamental Distinction

Feature Threats Alerts
Logic Heuristic/Behavioral detection of malicious patterns. Rule-based triggers defined in Alert Profiles.
Actionability Requires active investigation and remediation. Primarily informational/compliance-based.
Risk Level Classified by Severity (Low to Critical). Classified by Event Type.

2. Managing Incidents (Assignee & Workflow)

Located via the Gear Icon in the top-right of the threat detailed view, the Manage Incidents panel is the hub for team collaboration.

  • Assignee: A dropdown menu listing all technicians with XDR permissions. Selecting a name delegates the responsibility for that specific incident.
  • Status Lifecycle:
    • Open: Default state upon detection.
    • In Progress: The assigned technician is actively investigating.
    • Closed: The threat has been neutralized or resolved.
  • Verdict: Admins or Assignees must classify the incident as a True Positive (actual threat) or False Positive (benign activity).
  • Audit Trail (Activity & Comments):
    • The Activity Tab logs every status change and assignee modification, visible to all technicians for transparency.
    • The Comments Tab allows any technician with access to leave contextual notes (e.g., “Hash verified via VirusTotal”).

3. Threat Intelligence & Metadata

When a threat is selected, Hexnode XDR populates specific Entities. These fields are used in the Search Bar to filter the incident database.

Static Threat Metadata

These sections provide the “Who” and “Where” of an incident:

  • User Information: Displays the local Username and the User SID (Security Identifier) active during the event.
  • Endpoint Data: Includes the Host Name, Agent Version, and network identifiers (Local & External IP).
  • Threat Summary: Maps the activity to specific MITRE ATT&CK tactics.

Technical Data Fields

Command Line: The exact string of code used to execute the process. This is used by technicians to identify the “entry vector” of the malware.

File Hash (SHA-256): The unique fingerprint of the source file. This can be cross-referenced with external databases like VirusTotal.

4. Visual Process Analysis (The Process Tree)

The Process Tab provides a dynamic visual breakdown of the threat lifecycle. Unlike static tables, this represents the Parent-Child relationships of execution.

  • Process Nodes: Each node represents an execution event.
  • The ‘+’ Icon: Indicates a “Parent” process that has spawned “Child” processes.
  • Scope: The tree visualizes all processes directly related to the detected threat lifecycle, not every unrelated background process on the device.

Node Interactions:

  • Kill Process: Terminates only the selected node.
  • Kill Process Tree: Terminates the selected node and every child process it spawned.
  • Delete Process Root: Permanently deletes the executable file that initiated the process.

5. Remediation Actions

Admins can execute response actions directly from the Overview or Process tabs.

  1. File Quarantine: Moves the malicious file to a restricted, encrypted folder on the endpoint. The file becomes inaccessible to the OS and the user.
  2. Endpoint Isolation: Disconnects the target device from all networks except for its connection to the Hexnode XDR console.
  3. Remote Access Console: Opens a live terminal to the host device, allowing for manual command-line troubleshooting.
  4. Data Export: Allows admins to download threat logs as JSON or CSV files to the Administrator’s local machine for external reporting.

6. Frequently Asked Questions (FAQ)

Q: What is the difference between a “Threat Category” and a “Threat Type”?

A: “Category” refers to the broad classification (e.g., Ransomware, Trojan), while “Type” or “Summary” provides the specific behavior detected (e.g., “Unauthorized File Encryption”).

Q: Can any technician change the Status of an incident?

A: Any technician with “Manage XDR” permissions can update the status, though it is standard protocol for the Assignee to handle these transitions.

Q: Does “Export to CSV” save the file to the infected endpoint?

A: No. All export actions download the data directly to the web browser/local machine of the administrator performing the action.

Q: What happens if a quarantined file is Restored?

A: The file is moved from the secure quarantine area back to its original directory and its original permissions are restored.

Q: Is the Process Tree a list of all processes running on the machine?

A: No. It is a filtered view showing only the chain of execution (Parent and Child) that led to the specific security incident.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Incidents Management