Updated on 2023-12-22 GMT+08:00

Viewing an Incident

Scenario

By viewing the incident list, you can learn about the incident statistics in the last 360 days. The list contains the incident name, type, severity, and occurrence time. By customizing filtering conditions, such as the incident name, risk severity, and time, you can quickly query information about the specific incident.

This topic describes how to view incident information.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Threat Operations > Incidents.

    Figure 2 Incidents

  5. In the upper part of the Incidents page, view incident statistics.

    Figure 3 Incident statistics
    • Urgent handling of Incidents: displays the total number of critical or high-risk incidents that are not closed.
    • Expired Incident: displays the total number of incidents that have not been closed after the planned closure time set for the incidents.
    • Incident Status: displays the total number of incidents in the Open, Blocked, and Closed statuses and the number of incidents in the corresponding status.
    • Total Incidents: Total number of incidents in the current workspace and the number of incidents of each severity.

  6. In the incident list, view the incident details. For details about the parameters, see Viewing an Incident.

    You can view a maximum of 9,999 incidents on the page.

    Table 1 Incident parameters

    Parameter

    Description

    Incident

    Incident name.

    Incident ID

    ID of an incident.

    Incident Level

    Severity level. The options are Warning, Low-risk, Medium-risk, High-risk, and Critical.

    Type

    Incident type

    Status

    Incident status. The options are Open, Blocked, and Closed.

    Affected Asset

    Assets affected by this incident.

    Verification Status

    Verification status of the incident, that is, the accuracy of the incident. The value can be Unknown, Acknowledged, or False Alarm.

    Owners

    Primary owner of the incident.

    Created

    Time when the incident is created.

    First occurrence time

    First Occurrence Time

    Last occurrence time

    Time when the incident occurred last time.

    Planned Closure Date

    Planned closure time of the incident.

    Description

    A brief description of the incident

    Data Source Product Name

    Name of the product from which an incident is generated.

    Labels

    Incident label.

    Operation

    You can edit or close an incident.

  7. To view the detailed overview of an incident, click the incident name. The incident overview is displayed on the right.

    • On the event overview page, you can view incident handling suggestions, basic information, and associated information (including associated threat indicators, alerts, incidents, and attack information).
    • To view alert details, click Incident Details in the lower right corner of the incident overview page. The incident details page is displayed.

      On the details page, you can view the incident timeline and attack information in addition to the information on the overview page. For example, you can view the first occurrence time of an incident, detection time, and attack process ID.

    • On the incident overview or details page, you can change the incident severity and status in the corresponding drop-down list boxes.
    • On the incident overview or details page, you can associate or disassociate alerts, incidents, and indicators and view information about affected resources.