Incident-based Execution Profile

The Incident-based Execution Profile allows you to focus on objects and events across affected endpoints from a broader perspective (incident view), rather than isolated, discrete alerts that may point to the same underlying root cause.


This is a “Pre-release” feature and is not considered an official release. Please review the Pre-release Disclaimer before using the feature.

By correlating and grouping related alerts, the Incident-based Execution Profile visualizes objects and events on multiple analysis chains to facilitate interactive investigation.

The following table describes different elements that compose the Incident-based Execution Profile.



Left panels

Observed Attack Techniques panel

Lists the individual events detected in your environment and related MITRE information

You can click View event to further check the event details in the Observed Attack Techniques app.


Under Observed Attack Techniques, only detection filters at "Critical", "High", and "Medium" risk levels are listed based on the objects available in the current analysis chain.

Endpoints panel

Lists the affected endpoints and highlighted objects from the associated alerts of the incident

Graph section

Chain view

Aggregates multiple analysis chains that visualize objects and events for interactive investigations.

You can click any node to view the detailed profile and check related events of the object. The initial analysis chain shows the most critical events as a baseline and allows you to add more events to the chain if necessary.

Timeline view

Displays the events associated with an incident in chronological order.

By default, only the first observed events of an incident are highlighted. You can use the right arrow () to progress through the attack step-by-step.

Right panels

Profile tab

Displays the details applicable to the selected object

Events tab

Displays the actions performed by the selected object

You can expand each action to check the objects involved in the event and choose to dynamically show them in or hide them from the chain view.

Sources tab

Displays the point of origin for the selected object, which is the additional information not shown in the chain view