Incident Responder Dashboard

This section will help you comprehend and utilize the Incident Responder product's fundamental features. To access all details described in this section, please click on Incident Responder > Incident Responder.


Phishing Reporter Widget

This provides details on how many users have the suspicious email reporter plugin (Outlook Desktop version) installed in total and how many users have been active in the past four minutes.

By clicking on the shortcut on the upper right corner of the box, you can access the page where the suspicious email notification add-in is installed and the user details are shown in more detail.

Incident Analysis Widget

The Incident Analysis box shows the total number of incidents that have been reported to the Incident Responder so far, along with the percentage of incidents that have malicious content.

Investigations Widget

Within the Investigations box, you can see the number of automatic investigations launched on the Incident Responder and the number of manual investigations.

By clicking on the shortcut on the upper right corner of the box, you can access the page where the investigations have been started.

ROI Summary Widget

This widget summarizes the performance and evaluates the efficiency and profitability of Incident Responder investment.

In order for this feature to produce accurate results, you need to arrange the time and money details specific to your institution. You can specify these details by clicking the 'Settings' button in the ROI Summary menu in the upper right corner.

Average hours saved per reported email(hours)

You can enter how much time a SOC team member spends time on each reported suspicious email to analyze, investigate, delete or other such actions.

Average total cost per hour($)

You can enter how much money it cost the company when a SOC team member spends time (hours) on each reported suspicious email to analyze, investigate, delete or other such actions.

An example from real life scenario. There is a SOC team who has five members and only one person is dedicated to taking these "analyze, share results with the reporter, investigate, delete phishing email" actions of each email reported by employees.

The person spends approximately one hour on each email, and depending on the salary, the person's one hour is equal to 200$ to the company, then set the "average hours = 1 hour" and set the "average total cost = 200$" in the widget settings.

The product will calculate based on this information how much money and time is saved by using the Incident Responder based on the each reported email to the product.

Top Rules

In the Top Rules field, you will see that the 5 rules with the most matches from the rules created on the Playbook page are listed.

Recent Investigations

In the Recently Investigations area, you can see the details of the last 5 investigations started. The name, progress of the investigation and its latest status (Running, Canceled, Finished, Expired) are shown.

Reported Emails

This table contains all emails and analysis statuses reported to the Incident Responder product. This table includes information such as who reported suspicious emails, the status of the email analysis, and other details.


You can take manual action on suspicious emails reported to the Incident Responder. You can click the buttons under the action and take the appropriate steps you want to perform.


The incident that was reported to the Incident Responder can be edited. You can add a tag or make notes on the case, as well as amend the analysis result or status of the related case. The table below contains comprehensive information on each field.


Name of the subject

Reporter By

The email address of the user reported the incident.

Case ID

It is the case number that is created specific to the case.

Analysis Source

Analysis source detail that is automatic or linked to a Playbook rule.


Analysis result of the case.


Analysis status of the case. The status can be open, close, false positive, or in progress.


This is the area where you can add reminder tag information.


This is the area where the analyst can write their notes for this case.

Notify Reporting User About This Update

A feature where the notification message can be sent to the person who reported the incident using default templates by default or custom templates by clicking the change button and choosing the custom template.

Add Custom Message

Area where you can add a custom message in the email notification to be sent to the person reported the incident.

Date Created

The report date of the incident.

Last Update

The date of the last update on the incident.

You have the option to see the incident, look over its specifics, begin researching it, and take actions like rescanning the incident for integrations. By selecting the three dots “︙” button next to the Action title, you can execute actions on the related titles below.

Preview Email

By clicking the Preview button, you can visit the page with the image of the reported incident.


By clicking the Details button, you can visit the page with the details of the reported incident.

The information on the reporting page is detailed in the table below.


This is the area where the details of the email are shown. In this field, the analysis date of the email, From, From Name, To, CC, BCC, Sender IP, Analysis Date, the name of the folder where the email is located, the number of attachments and the number of URLs in it and the location of the sender IP address.

At the same time, the email server IP address to which the email is sent, blacklist control is performed in analysis services. You can see the results on this screen under the Sender IP Blacklist Check title.


The header information of the email is displayed in this field.

Email Preview

The preview of the email is shown in this area.


URLs and their analysis results in the email are displayed in this field.


The name of the attachment files and their hash information as well as analysis results are displayed in this field.


By clicking the Investigation button, you can initiate an investigation to match the criteria of the report.


By clicking the Re-analyze button, you can re-analyze the incident using analysis services on integrations.

Cluster View

You can utilize Cluster View to view notifications more clearly when there are too many of them on the Incident Responder screen. By selecting the “⇩” button located in the top right corner of the Reported Emails table, you can take the following actions.

Cluster by Subject

Cases are classified according to their titles and displayed accordingly.

Cluster by Reported by

Incidents are classified by reporters and displayed accordingly.

Filter by MD5 or SHA512 Hash

Search the reported emails based on the MD5 or SHA512 hash of files. If the MD5 or SHA512 hash matches with a file attached on the reported email, the reported email will be listed on the reported emails table.

Use Cases

SOAR Integration

In case the end user reports an email, the relevant email is analyzed by the services with which the Incident Responder product is integrated. If the analysis result appears to be malicious, the institution's SOC team will apply additional measures such as using antivirus, firewall, EDR, proxy etc. to target this malicious email. This manual process will take a lot of time and will delay the intervention to the incident in a timely manner.

If the email reported to the platform is determined to be phishing or malicious after analysis, your current SOAR solution can obtain this detail from the platform via API and automatically perform the necessary actions on your solutions such as EDR, Proxy, and Firewall. In this way, the process will be manageable due to the quick action taken. API usage details are explained in detail in this document.

Tutorial Video


Q: Can I delete incident records from the platform?

A: You can update the status of the incidents as “closed”, but the incident cannot be deleted from the interface.

Q: Are the actions I take in the cluster view applied to all cases in the cluster?

A: Yes, the actions you take in the cluster view are effective in all the cases.

Q: What will happen if the email I reported is detected to be malicious?

A: If the analysis determines the data as malicious or phishing, an automatic investigation is launched, and any suspicious emails detected in other mailboxes are scanned. Additionally, you can also take steps like Investigate and Re-Analyze.

Q: Is the reported email sent to another service?

A: No, the email reported by your users is never sent to any other service.

Q: Does automatic analysis start when the analysis result of the reported email is Phishing, Malicious or Undetected?

A: Automatic analysis starts only when the analysis result is determined to be Phishing and Malicious, and the relevant malicious email is automatically searched throughout the company.

Q: How Sandbox analyzes my suspicious emails?

A: We analyze suspicious email by header, body and attachments using our third-party analysis engines integrated into our platform. The reported email itself is not forwarded to the integrations. Our platform parses the URL, Attachment and Sender IP and makes the analysis.

Q: Can I integrate the reported emails with my SOAR products by obtaining the details using the API?

A: You can perform almost every operation in the Incident Responder product using API. You can refer to our Rest API document to see the details.

Q: Are the emails sent by users for analysis securely stored on the server?

A: The platform generates a random key that is unique for each customer, then encrypts all reported emails on disk with AES 256 algorithm.

Last updated

Copyright © Keepnet Labs LTD. All rights reserved.