Incident Responder Fundamentals

- Widgets
- Top Rules
- Recent Investigations
- Reported Emails
- Use Cases
- FAQ
- Moving Forward: Investigations

Widgets

In the Incident Responder dashboard four boxes, or widgets, are displayed near the top: Phishing Reporter, Incident Analysis, Investigations, and ROI Summary. These widgets display concise, important metrics about your Incident Responder integration.

Phishing Reporter Widget

This widget provides details on how many users have the suspicious email reporter plugin installed and how many users have been active in the past four minutes. This metric is only available for the Outlook desktop version of the phishing reporter.

By clicking on the shortcut in the upper right corner of the box, you can access the page where the suspicious email notification add-in is installed and observe more detail about the users.

Incident Analysis Widget

The Incident Analysis box shows the total number of incidents that have been reported to the Incident Responder so far, along with the percentage of incidents that have malicious content.

Investigations Widget

Within the Investigations box, you can see the number of automatic investigations launched on the Incident Responder and the number of manual investigations.

By clicking on the shortcut on the upper right corner of the box, you can access the page where the investigations have been started.

ROI Summary Widget

This widget summarizes the performance and evaluates the efficiency and profitability of Incident Responder investment.

In order for this feature to produce accurate results, you need to arrange the time and money details specific to your institution. You can specify these details by clicking the 'Settings' button in the ROI Summary menu in the upper right corner.

Average hours saved per reported email(hours)	You can enter how much time a SOC team member spends time on each reported suspicious email to analyze, investigate, delete, etc.
Average total cost per hour($)	You can enter how much money it costs the company when a SOC team member spends time (hours) on each reported suspicious email to analyze, investigate, delete, etc.,

Here's an example: There is a SOC team who has five members and only one person is dedicated to handling the "analyze, share results with the reporter, investigate, delete phishing email" actions of each email reported by employees.

The person spends approximately one hour on each email and depending on the salary, the person's one hour is equal to 200$ to the company, then set the "average hours = 1 hour" and set the "average total cost = 200$" in the widget settings.

The product will calculate based on this information how much money and time is saved by using the Incident Responder based on the each reported email to the product.

Top Rules

In the Top Rules section, you will see the 5 rules with the most matches from the rules created on the Playbook page are listed.

Recent Investigations

In the Recently Investigations area, you can see the details of the last 5 investigations started. The name, progress of the investigation, and its latest status (Running, Canceled, Finished, Expired) are shown.

Reported Emails

This table contains all emails and analysis statuses reported to the Incident Responder product. This table includes information such as who reported suspicious emails, the status of the email analysis, and other details.

Actions

You can take manual action on suspicious emails reported to the Incident Responder. You can click the buttons under the action and take the appropriate steps you want to perform.

Edit

The incident that was reported to the Incident Responder can be edited. You can add a tag or make notes on the case, as well as amend the analysis result or status of the related case. The table below contains comprehensive information on each field:

Subject	Name of the subject
Reported By	The email address of the user who reported the incident.
Case ID	It is the case number that is created specific to the case.
Analysis Source	Analysis source detail that is automatic or linked to a Playbook rule.
Result	Analysis result of the case.
Status	Analysis status of the case. The status can be open, close, false positive, or in progress.
Tags	This is the area where you can add reminder tag information.
Notes	This is the area where the analyst can write their notes for this case.
Notify Reporting User About This Update	A feature where the notification message can be sent to the person who reported the incident using default templates by default or custom templates by clicking the change button and choosing the custom template.
Add Custom Message	Area where you can add a custom message in the email notification to be sent to the person reported the incident.
Date Created	The report date of the incident.
Last Update	The date of the last update on the incident.

You have the option to see the incident, look over its specifics, begin researching it, and take actions like rescanning the incident for integrations. By selecting the three dots “︙” button next to the Action title, you can execute actions on the related titles below.

Preview Email

By clicking the Preview button, you can visit the page with the image of the reported incident.

Details

By clicking the Details button, you can visit the page with the details of the reported incident.

The information on the reporting page is detailed in the table below:

Details	This is the area where the details of the email are shown. In this field, the analysis date of the email, From, From Name, To, CC, BCC, Sender IP, Analysis Date, the name of the folder where the email is located, the number of attachments and the number of URLs in it and the location of the sender IP address. At the same time, the email server IP address to which the email is sent, blacklist control is performed in analysis services. You can see the results on this screen under the Sender IP Blacklist Check title.
Header	The header information of the email is displayed in this field.
Email Preview	The preview of the email is shown in this area.
URLs	URLs and their analysis results in the email are displayed in this field.
Attachments	The name of the attachment files and their hash information as well as analysis results are displayed in this field.

Investigate

By clicking the Investigation button, you can initiate an investigation to match the criteria of the report.

Re-Analyze

By clicking the Re-analyze button, you can re-analyze the incident using analysis services on integrations.

Cluster View

You can utilize Cluster View to view notifications more clearly when there are too many of them on the Incident Responder screen. By selecting the “⇩” button located in the top right corner of the Reported Emails table, you can take the following actions.

Cluster by Subject

Cases are classified according to their titles and displayed accordingly.

Cluster by Reported by

Incidents are classified by reporters and displayed accordingly.

Use Cases

SOAR Integration

In case the end user reports an email, the relevant email is analyzed by the services with which the Incident Responder product is integrated. If the analysis result appears to be malicious, the institution's SOC team will apply additional measures such as using antivirus, firewall, EDR, proxy etc. to target this malicious email. This manual process will take a lot of time and will delay the intervention to the incident in a timely manner.

If the email reported to the platform is determined to be phishing or malicious after analysis, your current SOAR solution can obtain this detail from the platform via API and automatically perform the necessary actions on your solutions such as EDR, Proxy, and Firewall. In this way, the process will be manageable due to the quick action taken. API usage details are explained in detail in this document.

Frequently Asked Questions

Q. Can I delete incident records from the platform?
A. You can update the status of the incidents as “closed”, but the incident cannot be deleted from the interface.

Q. Are the actions I take in the cluster view applied to all cases in the cluster?
A. Yes, the actions you take in the cluster view are effective in all the cases.

Q. What will happen if the email I reported is detected to be malicious?
A. If the analysis determines the data as malicious or phishing, an automatic investigation is launched, and any suspicious emails detected in other mailboxes are scanned. Additionally, you can also take steps like Investigate and Re-Analyze.

Q. Is the reported email sent to another service?
A. No, the email reported by your users is never sent to any other service.

Q. Does automatic analysis start when the analysis result of the reported email is Phishing, Malicious or Undetected?
A. Automatic analysis starts only when the analysis result is determined to be Phishing and Malicious, and the relevant malicious email is automatically searched throughout the company.

Q. How does the Sandbox analyze my suspicious emails?
A. We analyze suspicious email by header, body and attachments using our third-party analysis engines integrated into our platform. The reported email itself is not forwarded to the integrations. Our platform parses the URL, Attachment and Sender IP and makes the analysis.

Q. Can I integrate the reported emails with my SOAR products by obtaining the details using the API?
A. You can perform almost every operation in the Incident Responder product using API. You can refer to our Rest API document to see the details.

Q. Are the emails sent by users for analysis securely stored on the server?
A. The platform generates a random key that is unique for each customer, then encrypts all reported emails on disk with AES 256 algorithm.

Moving Forward: Investigations

In the next area of the Incident Responder, Investigations, you will learn how to handle Investigations and carry out Incident Response processes. Let's go... ➡️