Managing XDR Story Investigations

This article discusses how to use the comments and actions tools in the Stories Workbench to manage story investigations.

For more about the Stories Workbench, see Reviewing Detection & Response Stories for Your Account.


The Stories Workbench drill-down page provides tools that help your analyst team track and manage the story investigation throughout the story lifecycle. You can perform a number of different actions to manage and record results of the story investigation, such as defining a verdict for the story, or setting the status to closed. You can also post comments on a story to detail the progress of the investigation and aid in collaboration with other team members. The page also lets you create a Mute Stories rule for when you determine that a story is benign and want the XDR engines to stop generating stories for similar incidents.


Note: For MDR customers, please contact   to define Mute Stories rules for your account.


  • Story actions and comments are available for XDR Core and XDR Pro customers. MDR customers can't perform actions or post comments.

  • Users with edit permissions can perform story actions and post comments. Users with viewing permissions can view comments.

Performing Story Actions

The Story Actions panel lets you perform various actions to manage the story. These are the actions you can perform:

  • Set the Analyst Verdict - Define the story as Suspicious, Malicious, Informational, or Benign

    • When you set a verdict to Suspicious, Informational, or Benign, you can then also define:

      • Type - Select the specific threat type from the dropdown list

        When you select a Type, details about the type and recommended actions are shown

      • Classification - Select a more detailed description of the threat from the dropdown list. The Classification section appears only after selecting a Type

    • When you set the verdict to Malicious you can then also define:

      • The story Severity. Possible values are High, Medium, and Low.

      • Type - The Type section appears only after selecting a Severity.

      • Classification - The Classification section appears only after selecting a Type.

  • Enter Additional Info - Add information relevant to the story

  • Set the story Status - Possible values are Closed, Open, Pending Analysis (for example, for when the story is awaiting attention from an analyst), and Pending More Info (for example, for when a story is awaiting a reply from a customer)

  • Add the story to a new Muted Stories rule. For more about mute stories, see Muting Detection & Response (XDR) Stories.


To perform story actions:

  1. In the story drill-down page, click the Actions button.

  2. Click Manage Story. The Story Actions panel opens.

  3. Define the relevant settings in the action sections.

  4. Click Save. The story is updated with the action settings.

Commenting on a Story

Use the Story Comments panel to post comments that help track the story investigation. When you post a comment, it is visible to all users with permissions to view the story. Additionally, some comments are created automatically by the system to help track significant developments in the story lifecycle, such as when the story is created or when new targets related to the story are identified.

You can delete a comment that you posted, but can't delete other comments. Comments can't be edited. Only text can be entered in a comment.

The number of comments posted for a story appears on the Comments button in the story drill-down page.

  • Comments are limited to 500 characters

  • A single story can't have more than 200 comments


To comment on a story:

  1. In the story drill-down page, click the Comments button. The Story Comments panel opens.

  2. Enter the text for the comment and click post_icon.png. The comment is posted.

Was this article helpful?

0 out of 0 found this helpful


Add your comment