Viewing Incidents

Scenario

An incident is a broad concept. It can include but is not limited to alerts. It can be a part of normal system operations, exceptions, or errors. In the O&M and security fields, an incident usually refers to a problem or fault that has occurred and needs to be focused on, investigated, and handled. An incident may be triggered by one or more alerts or other factors, such as user operations and system logs.

An incident is usually used to record and report historical activities in a system for analysis and audits.

On the Incidents page in SecMaster, you can check the incident list for the last 360 days. The list contains incident names, types, severity levels, and occurrence time. By customizing filtering conditions, such as the incident name, risk severity, and time, you can quickly query information about the specific incident.

This topic describes how to view incident information.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

5. In the navigation pane on the left, choose Threat Operations > Incidents.
6. On the Incidents page, view incident details.
   Figure 2 Viewing an Incident
   

   Table 1 Viewing an Incident

   Parameter	Description
   Unhandled Incidents	This area displays how many incidents that are not handled within the specified time range in the current workspace. The unhandled incidents are displayed by severity.
   Auto (Incidents Handled Automatically)	This area displays how many incidents that are handled automatically by playbooks within the specified time range in the current workspace.
   Manual Incident (Incidents Handled Manually)	This area displays how many incidents that are handled manually within the specified time range in the current workspace.
   Incidents Number (Incidents)	This area displays how many incidents that are reported within the specified time range in the current workspace.
   Incident list	The list displays more details about each incident. You can view the total number of incidents below the incident list. You can view a maximum of 10,000 incident records page by page. To view more than 10,000 records, optimize the filter criteria. In the incident list, you can view the incident name, severity, source, and status. To obtain overview of an incident, click the incident name. The incident overview panel is displayed on the right. On the Incident Overview panel, you can view incident handling suggestions, basic information, and associated information (including associated threat indicators, alerts, incidents, and attack information). To view incident details, click Incident Details in the lower right corner of the incident overview panel. The incident details page is displayed. On the details page, you can view the incident timeline and attack information in addition to the information on the overview page. For example, you can view the first occurrence time of an incident, detection time, and attack process ID. On the incident overview or details page, you can change the incident severity and status in the corresponding drop-down list boxes. On the incident overview or details page, you can associate or disassociate alerts, incidents, and indicators and view information about affected resources.