Skip to main content
Skip table of contents

Incident Workspace Widgets

LAST UPDATED: JULY 15, 2025

The incident workspace now includes updated and new widgets, customizable via the Incident Workspace Builder. Each widget can be expanded or restored to their default size using their (expand) and (shrink) interactive icons. This article provides an overview of all available widgets and explains how to populate them within the incident workspace.

Adversary Lifecycle

The Adversary Lifecycle widget displays tactic and technique details specific to the current incident, providing clear and comprehensive insights for each item.

Clicking on the button beside the Adversary Lifecycle widget header will render a popup. The dropdown menu within this popup contains built-in and custom tactics and techniques.

Creating Custom Tactics and Techniques

  1. Navigate to the MITRE ATT&CK Monitor.

  2. Click on the image 40 (4)-20241228-011409.png icon next to a tactic.

  3. Select Insert Tactic or Add Technique.

    Frame 104 (3)-20241228-012434.png

  4. Enter in the necessary tactic or technique information, then click on the Save button.

Users can now observe their custom tactic or technique in the Adversary Lifecycle widget’s Add Tactic/Technique popup.

Deleting Tactics and Techniques

  1. Hover over a technique, then click on the icon.

    Frame 105 (3)-20241228-013713.png

  2. Click on the Remove button.

    Frame 106 (2)-20241228-013935.png
Frame 103 (3)-20241228-010720.png
Troubleshooting Missing Built-in Techniques

If built-in techniques are not visible, navigate to the Monitor module and select the Enable Mitre Tactics checkbox.

Group 2 (2).png

Conclusion

add conclusion.gif

Users can use the Conclusion widget to record a summary for the incident’s resolution using an HTML editor.

  • To edit the content, hover over the widget and click on the image 48-20241231-185858.png icon.

  • To clear the HTML widget, hover over the widget, click on the image 49-20241231-190435.png icon, then click on the Clear button.

Custom Fields

Group 39.png

The Custom Fields widget allows users to add custom fields and values to incorporate information about the incident beyond what appears in the header panel.

To add a custom field, click on the Group 39 (1).png button or the Add Custom Field button. In the pop-up window that appears, enter the custom field name and value before clicking on the Save button.

Group 41 (1).png
Editing a Custom Field Value and Deleting a Custom Field

Editing a Custom Field Value

To edit a custom field value, click on the custom field, make the edits, then click on the Group 42 (1).png button to save.

edit custom field.gif

Deleting a Custom Field

To delete a custom field, click on it, then click on the Group 43.png icon.

delete custom field.gif

Description

add description widget.gif

The Description widget enables users to add or update the incident description using an HTML editor.

  • To edit the content, hover over the widget and click on the image 48-20241231-185858.png icon.

  • To clear the HTML widget, hover over the widget, click on the image 49-20241231-190435.png icon, then click on the Clear button.

Events Summary

Group 97.png

The Events Summary widget provides summaries of events linked to the incident, including their linkage method, event ID and name, risk level, occurrence and last updated dates, and a link to access the event details pop-up window for linked events.

Accessing Event Details

Clicking the View Event Details link opens the Event Details pop-up window containing the details of the event.

Group 98.png

Files

DragFileToUpload2.gif

The Files widget allows users to upload files to the incident using a drag-and-drop interface.

File Card UI

Each file card displays the file name, size, and unique incident file ID. Users can perform the actions Preview, Download, or Delete using the menu accessible through the icon.

Upload details, including the uploader's name and timestamp, are displayed at the bottom of each file card.

Frame 108.png

Users can edit the file description by clicking the text area and cancel or confirm changes using the and buttons at the bottom-right.

Frame 108 (2)-20241230-185253.png

Findings

Group 99.png

The Findings widget enables users to view, add, and edit investigation findings directly from the Overview tab. The data displayed in this widget mirrors the information in the Findings section of the Investigation tab.

Adding a Finding Using a Data Table

  1. Click on the Group 101.png button or Add Finding button.

    Group 100.png

  2. Click on the Data Table option.

    Group 102.png

  3. Configure the table.

    Group 104.png

    1. Select a suitable category from the dropdown.

    2. Enter a descriptive header for the table.

    3. Provide a brief description to help other users understand the table’s contents.

    4. Use the code snippet below to create the table.

      JSON 
      {
  "Fields": [
    {
      "Title": "Sender Email",
      "Name": "sender_email"
    },
    {
      "Title": "Subject",
      "Name": "subject"
    },
    {
      "Title": "Timestamp",
      "Name": "timestamp"
    },
    {
      "Title": "Malicious Link",
      "Name": "malicious_link"
    }
  ],
  "Data": [
    {
      "sender_email": "suspicious_user@example.com",
      "subject": "Urgent: Verify Your Account",
      "timestamp": "2025-01-07T10:15:00Z",
      "malicious_link": "http://malicious.example.com/login"
    }
  ]
}

  4. Click on the Group 105 (1).png button to save.

  5. Confirm that the data table can be rendered properly.

    Group 106.png

  6. (Optional) Click the Investigation tab to check if the newly added finding is also there.

    Group 107.png
Adding a Finding with the HTML Rich Text Editor

  1. Click on the Group 101.png button or Add Finding button.

    Group 100.png

  2. Click on the HTML Rich Text option.

    Group 108.png

  3. Add the content.

    Group 109.png

    1. Select a suitable category from the dropdown.

    2. Add the finding using the HTML Rich Text editor.

  4. Click on the Group 105 (1).png button to save.

  5. Confirm that the content can be rendered properly.

    Group 110.png

  6. (Optional) Click the Investigation tab to check if the newly added finding is also there.

    Group 111.png

Toggling Between Views

Users can switch between views the Grouped View and Timeline View when reviewing findings.

Group 112.png

Grouped View

In the grouped view, findings are organized into categories, such as Initial Findings and Data Enrichments.

Group 113 (1).png

Timeline View

In the timeline view, findings are displayed in chronological order from top to bottom, starting with the earliest added finding.

Group 114.png

HTML

The new HTML widget allows users to dynamically add custom HTML content, allowing the display of richly formatted information.

  • To edit the content, hover over the HTML widget and click on the image 48-20241231-185858.png icon.

  • To clear the HTML widget, hover over the HTML widget, click on the image 49-20241231-190435.png icon, then click on the Clear button.

Incident Form

incidentform.png

The Incident Form widget allows users to add or update information about the incident using the incident forms associated with the incident. For details on creating and filling out an incident form, refer to Creating an Incident Form and Filling Out the Incident Form During an Investigation, respectively.

Investigation Team

Group 162.png

The Investigation Team widget displays users assigned to work on the incident and their access level. It also allows users to edit the team.

Adding to the Investigation Team

  1. Click on the Group 90.png button.

    Group 163.png

  2. Add the investigators.

    Group 164.png

    1. Search for and select the users to add by their names.

    2. Define their access level as constrained by stage tasks.

    3. Click on the + Add button.

Modifying the Access Level of an Investigator

  1. Click on the Group 161.png button to delete the user.

    Group 165.png

  2. Click on the Group 171.png button.

    Group 163.png

  3. Modify the investigator’s access level.

    Group 166.png

    1. Search for and select the user whose access level needs to be updated.

    2. Update their level of access.

    3. Click on the + Add button.

JSON Table

Group 182.png

The JSON Table widget allows users to add a table containing custom JSON data into the incident. This data can be used as input for playbook tasks that support dynamic values.

Adding the JSON Table

  1. Click on the image 48-20241231-185858.png icon.

  2. Add the data in JSON, then click on the Group 105 (1).png button to save.

    Group 167.png

  3. Confirm that the table can be rendered properly.

    Group 168.png

RESULT

Users can use this JSON data as input for playbook tasks that support dynamic input values, selectable at the path $.DataSource.incident.CustomJsonTable.

Group 169.png

Linked Artifacts

Group 172 (1).png

The Linked Artifacts widget enables users to associate artifacts with the incident. Users can click on either the Group 171.png button or the Add Linked Artifact button to link an existing artifact to the incident or create a new artifact to link to the incident.

After linking artifacts to the incident, users can access their details and execute commands on them. Linked artifacts are also displayed in the Link Analysis tab.

Group 175.png

Linked Incident

Group 4 (2).png
linkedincidents2.png

The Linked Incidents widget enables users to associate the current incident with other incidents. It presents a structured list that includes the incident number, title, type, status, creation date, owner, and associated artifacts.

Hovering over the owner icon, the text after "Created On", or any artifact reveals a tooltip with additional details.

Tooltip Examples

Exact incident creation date and time

Frame 110 (3)-20241231-005430.png

Incident owner

Frame 117 (2)-20241231-010617.png

Email address artifact

Frame 114 (3)-20241231-005439.png

File artifact

Frame 115 (2)-20241231-005447.png

Internal IP artifact

Frame 118 (2)-20241231-011026.png
Group 5 (3).png

  • To copy a linked incident’s URL, hover over that incident and click on the image 44-20241231-011513.png icon.

  • To unlink an incident, hover over that incident and click on the image 45 (1)-20241231-011540.png icon.

  • To navigate to the linked incident, click the Group 6 (2).png icon.

  • To see a summary of the linked incident, click the Group 7 (2).png icon.

Linked Incident Summary

Clicking the Group 7 (2).png icon opens a summary of the linked incident with the following information: the incident link, conclusion, and notes.

Group 8 (2).png

Notes

notes.png

The Notes widget displays all notes associated with the incident. It also enables users to add new notes and perform keyword-based searches using the search bar.

Editing, Deleting and Viewing History

  1. Click the button.

    Group 9 (1).png

  2. Select the desired action from the dropdown menu:

    Group 10 (2).png

    • Click Edit to modify the note content.

    • Click Delete to permanently remove the note.

    • Click View History to see previous versions and changes made to the note.

      notehistory.png

  3. Follow the on-screen prompts to complete the selected action.

Playbook Automation

Frame 121 (2)-20241231-015352.png

The Playbook Automation widget supports playbook bulk selection, same-page unlinking and viewing, filtering of custom or built-in playbooks, and filtering by integration commands used within playbooks.

Unlinking a Playbook

  1. Hover over that playbook and click on the image 45 (1)-20241231-011540.png icon.

    Frame 123 (2)-20241231-021212.png

  2. Enter a reason for unlinking, then click on the Unlink button.

Clicking a playbook card renders a modal containing the executing playbook, identical to accessing it via the Playbooks sidebar menu.

Frame 124 (2)-20241231-022415.png

Recommendations

add_recommendation_widget.gif

The Recommendations widget enables users to view, add, and edit analyst recommendations directly from the Overview tab. The data displayed in this widget mirrors the information in the Recommendations section of the Investigation tab.

The process of adding a recommendation, whether with a data table or HTML Rich Text, is identical to adding a finding, with the exception that the category dropdown is available only for findings.

Remediations & Mitigations

The Remediations & Mitigations widget enables users to view, add, and edit analyst remediation and mitigation strategies directly from the Overview tab. The data displayed in this widget mirrors the information in the Remediations & Mitigations section of the Investigation tab.

add_remediation_widget.gif

The process of adding a remediation and mitigation strategy, whether with a data table or HTML Rich Text, is identical to adding a finding, with the exception that the category dropdown is available only for findings.

Investigation Summary

Group 11 (2).png

The Investigation Summary widget (left) and the Summary section in the Investigation tab (right).

The Investigation Summary widget mirrors the content of the Summary section found in the Investigation tab of the sidebar. All incident summaries are auto-generated at the time of incident creation. Users can edit the summary by clicking the edit icon and delete it by clicking the trash icon, both of which appear on hover.

Group 12 (2).png

Tasks

Tasks widget showing 0 of 3 tasks completed, with tasks assigned to the user including Search Office 365 Emails and Send Email - Office 365 from the ST Playbook. Progress bar indicates 0 percent completion.

The Tasks widget provides a clear view of completed, upcoming and overdue playbook and ad hoc tasks. It also includes a graphical progress bar to visually track completion.

Users can click the button on this widget or use the Ad hoc Tasks quick action available in the header panel to add an ad hoc task.

Ad hoc Task Form

  1. Click the button beside the Tasks widget header or the Ad-hoc Task button in the header panel.

    Frame 99 (4)-20241228-003410.png
    Frame 101 (5)-20241228-003712.png

  2. Fill in the Create Ad Hoc Task form as required.

    Frame 165.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close