Incident Responder
This section will help you comprehend and utilize the Incident Responder module's fundamental features.
To access all details described in this section, please click on Incident Responder > Incident Responder.

Widgets

Phishing Reporter Widget

This provides details on how many users have the suspicious email reporter plugin (Outlook Desktop version) installed in total and how many users have been active in the past four minutes.
By clicking on the shortcut on the upper right corner of the box, you can access the page where the suspicious email notification add-in is installed and the user details are shown in more detail.

Incident Analysis Widget

The Incident Analysis box shows the total number of incidents that have been reported to the Incident Responder module so far, along with the percentage of incidents that have malicious content.

Investigations Widget

Within the Investigations box, you can see the number of automatic investigations launched on the Incident Responder and the number of manual investigations.

ROI Summary Widget

This widget summarizes the performance and evaluates the efficiency and profitability Incident Responder investment.
In order for this feature to produce accurate results, you need to arrange the time and money details specific to your institution. You can specify these details by clicking the 'Settings' button in the ROI Summary menu on the upper right corner.
Average hours saved per reported email
This calculates the average amount of time that it would take for each reported case to be resolved by the appropriate teams if there is not any Incident Responder solution.
Average total cost per hour
This calculates the total cost per hour that it would take for each reported case to be resolved by the appropriate teams if there is not any Incident Responder solution.

Top Rules

In the Top Rules field, you will see that the 5 rules with the most matches from the rules created on the Playbook page are listed.

Recent Investigations

In the Recently Investigations area, you can see the details of the last 5 investigations started. The name, progress of the investigation and its latest status (Running, Canceled, Finished, Expired) are shown.

Reported Emails

This table contains all emails and analysis statuses reported to the Incident Responder module. This table includes information such as who reported suspicious emails, the status of the email analysis, and other details.

Actions

You can take manual action on suspicious emails reported to the Incident Responder. You can click the buttons under the action and take the appropriate steps you want to perform.

Edit

The incident that was reported to the Incident Responder module can be edited. You can add a tag or make notes on the case, as well as amend the analysis result or status of the related case. The table below contains comprehensive information on each field.
Subject
Name of the subject
Reporter By
The email address of the user reported the incident.
Case ID
It is the case number that is created specific to the case.
Analysis Source
Analysis source detail that is automatic or linked to a Playbook rule.
Result
Analysis result of the case.
Status
Analysis status of the case. The status can be open, close, false positive, or in progress.
Tags
This is the area where you can add reminder tag information.
Notes
This is the area where the analyst can write their notes for this case.
Notify Reporting User About This Update
Area where the notification message can be sent to the person reported the incident using default templates.
Add Custom Message
Area where you can add a custom message in the email notification to be sent to the person reported the incident.
Date Created
The report date of the incident.
Last Update
The date of the last update on the incident.
You have the option to see the incident, look over its specifics, begin researching it, and take actions like rescanning the incident for integrations. By selecting the three dots” button next to the Action title, you can execute actions on the related titles below.

Preview Email

By clicking the Preview button, you can visit the page with the image of the reported incident.

Details

By clicking the Details button, you can visit the page with the details of the reported incident.
The information on the reporting page is detailed in the table below.
Details
This is the area where the details of the email are shown. In this field, the analysis date of the email, From, From Name, To, CC, BCC, Sender IP, Analysis Date, the name of the folder where the email is located, the number of attachments and the number of URLs in it and the location of the sender IP address.
At the same time, the email server IP address to which the email is sent, blacklist control is performed in analysis services. You can see the results on this screen.
Header
The header information of the email is displayed in this field.
Email Preview
The preview of the email is shown in this area.
URLs
URLs and their analysis results in the email are displayed in this field.
Attachments
The name of the attachment files and their hash information as well as analysis results are displayed in this field.

Investigate

By clicking the Investigation button, you can initiate an investigation to match the criteria of the report.

Re-Analyze

By clicking the Re-analyze button, you can re-analyze the incident using analysis services on integrations.

Cluster View

You can utilize Cluster View to view notifications more clearly when there are too many of them on the Incident Responder screen. By selecting the “⇩” button located in the top right corner of the Reported Emails table, you can take the following actions.

Cluster by Subject

Cases are classified according to their titles and displayed accordingly.

Cluster by Reported by

Incidents are classified by reporters and displayed accordingly.

Use Cases

SOAR Integration

In case the end user reports an email, the relevant email is analyzed by the services with which the Incident Responder module is integrated. If the analysis result appears to be malicious, the institution's SOC team will apply additional measures such as using antivirus, firewall, EDR, proxy etc. to target this malicious email. This manual process will take a lot of time and will delay the intervention to the incident in a timely manner.
If the email reported to the platform is determined to be phishing or malicious after analysis, your current SOAR solution can obtain this detail from the platform via API and automatically perform the necessary actions on your solutions such as EDR, Proxy, and Firewall. In this way, the process will be manageable due to the quick action taken. API usage details are explained in detail in this document.

FAQ

Q: Can I delete incident records from the platform?

A: You can update the status of the incidents as “closed”, but the incident cannot be deleted from the interface.

Q: Are the actions I take in the cluster view applied to all cases in the cluster?

A: Yes, the actions you take in the cluster view are effective in all the cases.

Q: What will happen if the email I reported is detected to be malicious?

A: If the analysis determines the data as malicious or phishing, an automatic investigation is launched, and any suspicious emails detected in other mailboxes are scanned. Additionally, you can also take steps like Investigate and Re-Analyze.

Q: Is the reported email sent to another service?

A: No, the email reported by your users is never sent to any other service.

Q: Does automatic analysis start when the analysis result of the reported email is Phishing, Malicious or Undetected?

A: Automatic analysis starts only when the analysis result is determined to be Phishing and Malicious, and the relevant malicious email is automatically searched throughout the company.

Q: Which Sandbox analyzes my suspicious emails?

A: We analyze suspicious email by header, body and attachments using our third-party analysis engines integrated into our platform. The reported email itself is not forwarded to the integrations. Our platform parses the URL, attachment and sender IP and makes the analysis.

Q: Can I integrate the reported emails with my SOAR products by obtaining the details using the API?

A: You can perform almost every operation in the Incident Responder module using API. You can refer to our Rest API document to see the details.

Q: Are the emails sent by users for analysis securely stored on the server?

A: The platform generates a random key that is unique for each customer, then encrypts all reported emails on disk with AES 256 algorithm.
Copy link
On this page
Widgets
Phishing Reporter Widget
Incident Analysis Widget
Investigations Widget
ROI Summary Widget
Top Rules
Recent Investigations
Reported Emails
Actions
Cluster View
Use Cases
SOAR Integration
FAQ
Q: Can I delete incident records from the platform?
Q: Are the actions I take in the cluster view applied to all cases in the cluster?
Q: What will happen if the email I reported is detected to be malicious?
Q: Is the reported email sent to another service?
Q: Does automatic analysis start when the analysis result of the reported email is Phishing, Malicious or Undetected?
Q: Which Sandbox analyzes my suspicious emails?
Q: Can I integrate the reported emails with my SOAR products by obtaining the details using the API?
Q: Are the emails sent by users for analysis securely stored on the server?