The View Ticket page lets you see all the details of a ticket. From this page, you can view the following for the ticket:
ID
Subject
Account
MITRE ATT&CK® Tactic
MITRE ATT&CK® Technique
Created Time
Completed Time
Target User
SOC Analyst
Closure Code
You'll also find other details, such as the name of the incident, risk level, how the threat was detected, and what you should do about a ticket.
Besides seeing the details of a ticket, from this page, you can also:
Suspend users - You can suspend a Microsoft 365 or Duo user who is the source of a ticket.
Block and unblock IPs - If you have a firewall configured, you can block IP addresses that are the source of a ticket.
You can navigate to the View Ticket page two ways:
By clicking Intelligence > View Ticket in the left navigation menu. If you navigate this way, you'll have to enter a Ticket Id in the top right corner.
By clicking a row in the All Tickets table on the Alarms & Alerts page. If you navigate this way, the ticket you clicked is displayed.
To view the View Ticket page
Do one of the following:
To search for a ticket, click Intelligence > View Ticket, then type a Ticket ID in the top right of the View Ticket page.
To view a specific ticket, click a row in the All Tickets table on the Alarms & Alerts page. Then click View Ticket Details
.
To suspend a user
While viewing a ticket on the View Ticket page, in the Target User row of the Ticket Details section, click Suspend User.
Select one or more of the following:
Microsoft 365: revoke sessions and block sign-in.
Okta: suspend user account.
Click Submit
.
To block or unblock an IP address
While viewing a ticket on the View Ticket page, in the Source IP row of the Ticket Details section, click Block/Unblock IP.
Select a firewall.
Select one of the checkboxes:
Block
Unblock
Click Submit
.