Viewing an Incident
Scenario
By viewing the incident list, you can learn about the incident statistics in the last 360 days. The list contains the incident name, type, severity, and occurrence time. By customizing filtering conditions, such as the incident name, risk severity, and time, you can quickly query information about the specific incident.
This topic describes how to view incident information.
Procedure
- Log in to the management console.
- Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
- In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
- In the navigation pane on the left, choose Threat Operations > Incidents.
Figure 2 Incidents
- In the upper part of the Incidents page, view incident statistics.
Figure 3 Incident statistics
- Urgent handling of Incidents: displays the total number of critical or high-risk incidents that are not closed.
- Expired Incident: displays the total number of incidents that have not been closed after the planned closure time set for the incidents.
- Incident Status: displays the total number of incidents in the Open, Blocked, and Closed statuses and the number of incidents in the corresponding status.
- Total Incidents: Total number of incidents in the current workspace and the number of incidents of each severity.
- In the incident list, view the incident details. For details about the parameters, see Viewing an Incident.
You can view a maximum of 9,999 incidents on the page.
Table 1 Incident parameters Parameter
Description
Incident
Incident name.
Incident ID
ID of an incident.
Incident Level
Severity level. The options are Warning, Low-risk, Medium-risk, High-risk, and Critical.
Type
Incident type
Status
Incident status. The options are Open, Blocked, and Closed.
Affected Asset
Assets affected by this incident.
Verification Status
Verification status of the incident, that is, the accuracy of the incident. The value can be Unknown, Acknowledged, or False Alarm.
Owners
Primary owner of the incident.
Created
Time when the incident is created.
First occurrence time
First Occurrence Time
Last occurrence time
Time when the incident occurred last time.
Planned Closure Date
Planned closure time of the incident.
Description
A brief description of the incident
Data Source Product Name
Name of the product from which an incident is generated.
Labels
Incident label.
Operation
You can edit or close an incident.
- To view the detailed overview of an incident, click the incident name. The incident overview is displayed on the right.
- On the event overview page, you can view incident handling suggestions, basic information, and associated information (including associated threat indicators, alerts, incidents, and attack information).
- To view alert details, click Incident Details in the lower right corner of the incident overview page. The incident details page is displayed.
On the details page, you can view the incident timeline and attack information in addition to the information on the overview page. For example, you can view the first occurrence time of an incident, detection time, and attack process ID.
- On the incident overview or details page, you can change the incident severity and status in the corresponding drop-down list boxes.
- On the incident overview or details page, you can associate or disassociate alerts, incidents, and indicators and view information about affected resources.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.