Working with multi-workload incidents in the Incident Graph

An incident can involve more than one workload when a correlated attack spans across multiple devices. When this happens, the Incident Graph displays a separate sub-graph for each affected workload. Thus, you can investigate the attack activity on each device individually or in context with the others.

How multi-workload incidents are displayed

When an incident involves multiple workloads, the Incident Graph displays up to four workload sub-graphs by default. Sub-graphs are shown in chronological order, based on the time of the first detection on each workload.

When more than four workloads are involved, additional workload sub-graphs are shown in a collapsed state. A menu that lists all related workloads is available to help you navigate between them.

To switch to a different workload in the Incident Graph

1. In the Cyber Protect console, go to Protection > Incidents.
2. Click in the rightmost column of the incident that you want to investigate.
3. Go to the Incident Graph tab.
4. Use the workload selector to choose a different workload sub-graph, or click a collapsed workload node to expand it.

Workload availability

If a workload that is shown in the Incident Graph is no longer registered or is unavailable, you will see a warning indicator on that workload node. You might still see the sub-graph for that workload, but you cannot perform any actions on it until the workload is available again.