G DATA 365 | MXDR

Overview of an incident

Each incident can be viewed on an overview page, where all important information can be found at a glance.

G DATA 365 | MXDR Incident overview

To ensure that important recommendations for action immediately stand out from less important information, both incidents and recommended action are rated according to importance with corresponding color coding.

Regarding terminology, G DATA uses the term "impact" in the context of incidents and the term "priority" for recommended actions.

An incident can have the impact None, Minor, Moderate, High or Major. By default, the incident is given the impact Medium. In some cases, the impact level is changed manually by the G DATA Security Analysts. If impact High or Major has been assigned, an G DATA Security Analysts may be waiting urgently for feedback or for a recommended action to be performed. In this case, you will see a red status marker for the incident.

Recommended actions can have the priority low, medium or high and should be treated accordingly.

These four different color indicators are used:

grün

If the incident has a green status, there is nothing for you to do. In this case, G DATA was able to eliminate the danger and there are no tasks for you to perform.

gelb

If the incident has a yellow status, you must perform an action. The action is not urgently required, but should be carried out eventually.

rot

If the incident has a red status, it is urgent that you perform an action.
This action should not be delayed!

grau

If the incident has a gray status, G DATA is currently busy solving the problem. After the G DATA Security Analysts have completed the process, the status changes to red, yellow or green.

The status of an incident

Status refers to the current processing status. Some statuses are set automatically by our cloud backend. The automatically set statuses are New and Solved automatically.

New

This status means that a new incident has been reported to the portal but has not yet been investigated. An incident also receives the status New if it already had a different status but a new alert has been added.

Solved automatically

This status means that no G DATA Security Analysts are required to close the alert. This is the case, for example, if a file known to be infected was to be downloaded from the Internet, but the G DATA Agent has prevented the download. In this case, no G DATA Security Analysts need to intervene and the alert receives the status Automatically resolved.

Some statuses are set manually by the G DATA Security Analysts. These are In progress, Solved and Deferred.

In progress

This status means that an G DATA Security Analysts is currently investigating the incident. As soon as the investigation is completed, the analyst will change the status.

Solved

This status means that a G DATA Security Analysts has completed work on the incident. However, it is possible that the customer still has open Recommended Actions.

Deferred

This status is set if a G DATA Security Analysts cannot continue working at this time because they are waiting for feedback or for customers to carry out Recommended Actions.

In the right block of the overview, you will see a list of all Recommended Actions relating to this incident.

Recommended Actions are given to you by our G DATA Security Analysts for an incident.

This can be

  • simple tips and tricks to avoid incidents,

  • Simple tasks that need to be carried out (such as a reboot),

  • or complex actions that are necessary to prevent or limit damage as quickly as possible.

There are four columns in the list of recommended actions.

Ampel-Symbol

Hier wird die Priorität der Handlungsempfehlung angezeigt.

Endpoint

The affected endpoint for the recommended action is listed here.

Recommended action

The name of the recommended action.

Die Spalte Aktion

Haken Blau

If the tick in this column is blue, you have not yet marked the recommended action as completed. If you click on the blue tick, you mark the recommended action as resolved.

Rueckgaengig Blau

If the arrow is blue, you have already marked the recommended action as completed. If you click on the blue arrow you reset the status of the recommended action to not resolved.

Click on the row of Recommended Actions to open the details page.

Show screenshot
G DATA 365 | MXDR Overview

On this page you can see the recommended action with full text. On this page you can also mark the recommended action as Resolved. To do this, click on Close now.

Timeline

This chronological overview lists all interactions that are associated with an incident. These all the alerts and their updates, as well as all recommended actions and file operations associated with the incident.
All entries are provided with a date and exact time stamp and can be expanded for further details. This allows the complete incident to be easily comprehended in all aspects.

Timeline

Alert graph

Via the timeline you can access the alert graph belonging to the corresponding alert. Just select an entry from the timeline and click show alert graph. Please note that the alert graph is only available for messages that are linked to detections and were created starting from August 2024.

Alert graph
You can also view the alert graph by clicking the alert graph icon symbol in the alert list.

Alerts

In the lower block of the general overview, you will find the list of alerts assigned to this incident.

Alert list

Name

These are the names that the sensor was able to assign to thes security events. For example, a virus name.

End point

The endpoints on which security alerts have occurred are specified here. If several alerts have occurred for an endpoint, you will see the same endpoint in each row.
It can happen that sensors on different endpoints have issued an alarm and these can all be assigned to one security incident. In this case, you will see different endpoints displayed in this column.

Affected artifacts

Here you can see which files or processes were affected by this incident.

Date

Date and time of the security alarm.

Status

Here you can see the status of the incident corresponding to the alert.

Classification

This column shows you whether the alarm is a permitted alarm (True Positive) or a false alarm (False Positive).

alert graph icon

Click on this icon to go directly to the alert graph associated with the message.

Detail page Alert

Mit einem Klick auf die Zeile der Alerts öffnet sich die Detailseite.

Show screenshot
G DATA 365 | MXDR Overview

The details page shows you a summary of the most important information, such as:

  • The name transmitted by the reporting sensor.

  • When the alarm occurred.

  • What status he has.

  • How it was classified.

Under Affected artifacts, you can see which file or process the G DATA Agent’s sensor has hit and its reaction to it.

In our example (see screenshot), a file was recognized and moved to quarantine.

If we were able to determine a SHA256 hash value, it will also be displayed here.