Widgets

LAST UPDATED: JAN 23, 2024

The incident workspace now includes updated and new widgets, customizable via the Incident Workspace Builder. Each widget can be expanded or restored to their default size using their (expand) and (shrink) interactive icons.

Header Panel

The general information header panel now features a modernized design, presenting key incident details.

Available Actions

Viewing Key Incident Details:
- Incident ID and type, creation and last modified timestamps
- Associated site and incident type, status, severity, owner, stage and viewers
Editable Fields:
- Site, Incident Type, Status, Severity, Owner, and Tags
Quick Actions:
- Close Incident
- Ad-hoc task
- Execute command
Export:
The button provides export options:
- Export: Exports the full content of the incident
- Export Non-Empty Section: Export only the sections of the incident that contain data

Ad-hoc Task Widget

The Tasks widget has been redesigned to provide a clear view of completed, upcoming and overdue tasks. It includes a graphical progress bar to visually track completion.

Rather than scrolling to this section and clicking the + button, task delegators can use the Ad-hoc Tasks quick action available in the header panel.

Ad-hoc Task Form

Click on the button beside the Tasks widget header.
(Alternative) Click on the Ad-hoc Tasks button in the header panel.
Fill in the Create Ad-hoc Task form as required.

Adversary Lifecycle Widget

The Adversary Lifecycle (previously Tactics & Techniques) widget has been redesigned to intuitively showcase tactic and technique details specific to the current incident, providing clear and comprehensive insights for each item.

Clicking on the button beside the Adversary Lifecycle widget header will render a popup. The dropdown menu within this popup contains built-in and custom tactics and techniques.

Creating Custom Tactics and Techniques

Navigate to the MITRE ATT&CK Monitor.
Click on the icon next to a tactic.
Select Insert Tactic or Add Technique.
Enter in the necessary tactic or technique information, then click on the Save button.

Users can now observe their custom tactic or technique in the Adversary Lifecycle widget’s Add Tactic/Technique popup.

Deleting Tactics and Techniques

Hover over a technique, then click on the icon.

Click on the Remove button.

Conclusion Widget

Users can use the Conclusion widget to record a summary for the incident’s resolution using an HTML editor.

To edit the content, hover over the widget and click on the image 48-20241231-185858.png icon.

To clear the HTML widget, hover over the widget, click on the image 49-20241231-190435.png icon, then click on the Clear button.

Custom Fields Widget

The Custom Fields widget allows users to add custom fields and values to incorporate information about the incident beyond what appears in the Header Panel.

Editing a Custom Field Value and Deleting a Custom Field

Editing a Custom Field Value

To edit a custom field value, click on the custom field, make the edits, then click on the button to save.

Deleting a Custom Field

To delete a custom field, click on it, then click on the icon.

Description Widget

The Description widget enables users to add or update the incident description using an HTML editor.

To edit the content, hover over the widget and click on the image 48-20241231-185858.png icon.

To clear the HTML widget, hover over the widget, click on the image 49-20241231-190435.png icon, then click on the Clear button.

Events Summary Widget

The Events Summary widget provides summaries of events linked to the incident, including their linkage method, event ID and name, risk level, occurrence and last updated dates, and a link to access the event details pop-up window for linked events.

Accessing Event Details

Clicking the View Event Details link opens the Event Details pop-up window containing the details of the event.

Files Widget

The Files widget has been redesigned to support file uploads via drag-and-drop or browsing.

File Card UI

Each file card displays the file name, size, and unique incident file ID. Users can perform the actions Preview, Download, or Delete using the menu accessible through the icon.

Upload details, including the uploader's name and timestamp, are displayed at the bottom of each file card.

Users can edit the file description by clicking the text area and cancel or confirm changes using the and buttons at the bottom-right.

Findings Widget

The Findings widget enables users to view, add, and edit investigation findings directly from the Overview tab. The data displayed in this widget mirrors the information in the Findings section of the Investigation tab.

Adding a Finding Using a Data Table

Click on the button or Add Finding button.
Click on the Data Table option.

Configure the table.

Select a suitable category from the dropdown.
Enter a descriptive header for the table.
Provide a brief description to help other users understand the table’s contents.

Use the code snippet below to create the table.

JSON

{
  "Fields": [
    {
      "Title": "Sender Email",
      "Name": "sender_email"
    },
    {
      "Title": "Subject",
      "Name": "subject"
    },
    {
      "Title": "Timestamp",
      "Name": "timestamp"
    },
    {
      "Title": "Malicious Link",
      "Name": "malicious_link"
    }
  ],
  "Data": [
    {
      "sender_email": "suspicious_user@example.com",
      "subject": "Urgent: Verify Your Account",
      "timestamp": "2025-01-07T10:15:00Z",
      "malicious_link": "http://malicious.example.com/login"
    }
  ]
}

Click on the button to save.
Confirm that the data table can be rendered properly.
(Optional) Click the Investigation tab to check if the newly added finding is also there.

Adding a Finding with the HTML Rich Text Editor

Click on the button or Add Finding button.
Click on the HTML Rich Text option.
Add the content.
1. Select a suitable category from the dropdown.
2. Add the finding using the HTML Rich Text editor.
Click on the button to save.
Confirm that the content can be rendered properly.
(Optional) Click the Investigation tab to check if the newly added finding is also there.

Toggling Between Views

Users can switch between views the Grouped View and Timeline View when reviewing findings.

Grouped View

In the grouped view, findings are organized into categories, such as Initial Findings and Data Enrichments.

Timeline View

In the timeline view, findings are displayed in chronological order from top to bottom, starting with the earliest added finding.

HTML Widget

The new HTML widget allows users to dynamically add custom HTML content, allowing the display of richly formatted information.

To edit the content, hover over the HTML widget and click on the image 48-20241231-185858.png icon.

To clear the HTML widget, hover over the HTML widget, click on the image 49-20241231-190435.png icon, then click on the Clear button.

Incident Form Widget

The Incident Form widget allows users to add or update information about the incident using the incident forms associated with the incident.

Adding Information with the Incident Form

Click on the icon beside an incident form.
Add the relevant information, then click on the Save button.
Verify that the information has been successfully added.

Users can also modify the information by following the same methods outlined in steps 1-3.

Investigation Team Widget

The Investigation Team widget displays users assigned to work on the incident and their access level. It also allows users to edit the team.

Adding to the Investigation Team

Click on the button.
Add the investigators.
1. Search for and select the users to add by their names.
2. Choose their level of access.
3. Click on the + Add button.

Modifying the Access Level of an Investigator

Click on the button to delete the user.
Click on the button.
Modify the investigator’s access level.
1. Search for and select the user whose access level needs to be updated.
2. Choose their level of access.
3. Click on the + Add button.

JSON Table Widget

The JSON Table widget allows users to add a table containing custom JSON data into the incident. This data can be used as input for playbook tasks that support dynamic values.

Adding the JSON Table

Click on the icon.
Add the data in JSON, then click on the button to save.
Confirm that the table can be rendered properly.

RESULT

Users can use this JSON data as input for playbook tasks that support dynamic input values, selectable at the path $.DataSource.incident.CustomJsonTable.

Linked Artifacts Widget

The Linked Artifacts widget enables users to associate artifacts with the incident. Users can click on either the Group 171.png button or the Add Linked Artifact button to link an existing artifact to the incident or create a new artifact to link to the incident.

After linking artifacts to the incident, users can access their details and execute commands on them. Linked artifacts are also displayed in the Link Analysis tab.

Linked Incident Widget

The Linked Incidents widget has been updated to support bulk selection and display a structured layout of incident details, including the number, title, type, status, creation date, owner, and associated artifacts.

Hovering over the owner icon, the text after "Created On", or any artifact reveals a tooltip with additional details.

Tooltip Examples

Exact incident creation date and time

Incident owner

Email address artifact

File artifact

Internal IP artifact

To copy a linked incident’s URL, hover over that incident and click on the image 44-20241231-011513.png icon.

To unlink an incident, hover over that incident and click on the image 45 (1)-20241231-011540.png icon.

Notes Widget

The Notes widget has been improved for greater clarity and differentiation between notes, with a keyword search feature added for easier retrieval.

Editing, Deleting and Viewing History

Click on the button.
Select the desired action from the dropdown menu:
- Click Edit to modify the note content.
- Click Delete to permanently remove the note.
- Click View History to see previous versions and changes made to the note.
Follow the on-screen prompts to complete the selected action.

Playbook Automation Widget

The Playbook Automation widget (formerly Playbook) now supports bulk selection, same-page unlinking and viewing, filtering of custom or built-in playbooks, and filtering by integration commands used within playbooks.

Unlinking a Playbook

Hover over that playbook and click on the icon.
Enter a reason for unlinking, then click on the Unlink button.

Clicking a playbook card renders a modal containing the executing playbook, identical to accessing it via the Playbooks sidebar menu.

Recommendations Widget

The Recommendations widget enables users to view, add, and edit analyst recommendations directly from the Overview tab. The data displayed in this widget mirrors the information in the Recommendations section of the Investigation tab.

The process of adding a recommendation, whether with a data table or HTML Rich Text, is identical to adding a finding, with the exception that the category dropdown is available only for findings.

Remediations & Mitigations Widget

The Remediations & Mitigations widget enables users to view, add, and edit analyst remediation and mitigation strategies directly from the Overview tab. The data displayed in this widget mirrors the information in the Remediations & Mitigations section of the Investigation tab.

The process of adding a remediation and mitigation strategy, whether with a data table or HTML Rich Text, is identical to adding a finding, with the exception that the category dropdown is available only for findings.

AI Summary Widget

The Summary widget mirrors the content of the Summary section in the Investigation sidebar menu.

Beside the Summary widget header is a light blue refresh icon image 50-20241231-192620.png . Clicking this icon securely generates a new summary using AI, improving incident reporting and team communication. This icon is accessible only to users with incident editing role, configured in the Organization Management module.

After an AI summary is generated, an label will render next to the Summary widget header. If the summary content is modified by a user, the label will be removed.