Viewing Incidents

Scenario

An incident is a broad concept. It can include but is not limited to alerts. It can be a part of normal system operations, exceptions, or errors. In the O&M and security fields, an incident usually refers to a problem or fault that has occurred and needs to be focused on, investigated, and handled. An incident may be triggered by one or more alerts or other factors, such as user operations and system logs.

An incident is usually used to record and report historical activities in a system for analysis and audits. Currently, incidents are generated in the following ways:

• Adding an Incident: You can add incidents on the Incidents page. If you identify an attack or an issue that needs to be handled, you can add an incident on the Incidents page for tracking. Incidents need to be added one by one. If you need to add incidents in batches, import them.
• Importing Incidents: You can import incidents on the Incidents page. You can use lists to add incidents.
• Converting an Alert into an Incident or Associating an Alert with an Incident: You can convert alerts into incidents or associate alerts with incidents. This operation will generate new incidents. SecMaster analyzes alerts it aggregates from other services. During the analysis, if SecMaster detects attacks or serious threats, it converts such alerts into incidents or associates such alerts with certain incidents.

On the Incidents page in SecMaster, you can check the incident list for the last 360 days. The list contains the incident name, type, severity, and occurrence time of each incident. By customizing filtering conditions, such as the incident name, risk severity, and time, you can quickly query information about the specific incident.

This topic describes how to view incident information.

Relationships Between Alerts and Incidents

This section describes the meanings and differences between alerts and incidents.

• Meanings and differences between alerts and incidents

  Table 1 Meanings and differences between alerts and incidents

  Category	Description
  Definition	Alerts An alert is a notification of abnormal signals in O&M. It is usually automatically generated by a monitoring system or security device when detecting an exception in the system or networks. For example, when the CPU usage of a server exceeds 90%, the system may generate an alert. These exceptions may include system faults, security threats, or performance bottlenecks. Generally, an alert can clearly indicate the location, type, and impact of an exception. In addition, alerts can be classified by severity, such as critical, major, and minor, so that O&M personnel can determine which alerts need to be handled first based on their severity. The purpose of an alert is to notify related personnel in a timely manner so that they can make a quick response and take measures to fix the problem. Incidents An incident is a broad concept, and may include but is not limited to an alert. An incident can be a part of the normal operation of the system, an exception, or an error. In the O&M and security fields, an incident usually refers to a problem or fault that has occurred and needs to be focused on, investigated, and handled. An incident may be triggered by one or more alerts or other factors, such as user operations and system logs. An incident is usually used to record and report historical activities in a system for analysis and audits.
  Handling process	Alerts The alert handling process includes receiving, confirming, analyzing, responding to, and closing alerts. When the monitoring system generates an alert, O&M personnel need to confirm that the alert is a positive one. Then, they need to analyze the alert causes and impact scope, take measures to rectify the fault, and close the alert. Incidents The event handling process is more complex and comprehensive. In addition to each phase in the alert handling process, incident handling also involves incident investigation, impact assessment, risk analysis, emergency plan formulation, emergency response execution, and post-event summary. The objective of incident handling is to completely solve problems, prevent similar incidents in the future, and reduce the impact of incidents on services.
  Importance and urgency	Alerts Generally, alerts need to be evaluated and responded immediately. The severity and importance of each alert vary depending on the alert type, severity, and impact scope. Some alerts may be simple reminders or warnings, while others may indicate that the system has been severely attacked or faces major fault risks. Incidents In some cases, incidents may need to be recorded, analyzed, and handled, but do not require immediate responses. An incident is usually of higher importance and urgency than an alert. Because an incident has occurred and has had an actual impact, immediate measures need to be taken to control the risk and solve the problem. If an incident is not handled in a timely manner, it may cause significant economic loss or reputation damage to the organization.

Viewing Incidents

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

5. In the navigation pane on the left, choose Threats > Incidents.
   Figure 2 Accessing the Incidents page
   

6. On the Incidents page, view incident details.
   Figure 3 Viewing an Incident
   

   Table 2 Viewing an incident

   Parameter	Description
   Unhandled Incidents	This area displays how many incidents that are not handled within the time range you select in the current workspace. The unhandled incidents are displayed by severity.
   Auto	This area displays how many incidents that are handled automatically by playbooks within the time range you select in the current workspace.
   Manual Incident	This area displays how many incidents that are handled manually within the time range you select in the current workspace.
   Incidents Number	This area displays how many incidents that are reported within the time range you select in the current workspace.
   Incident list	The list displays more details about each incident. You can view the total number of incidents below the incident list. You can view a maximum of 10,000 incident records page by page. To view more than 10,000 records, optimize the filter criteria. In the incident list, you can view the incident name, severity, source, and status. To obtain overview of an incident, click the incident name. The Incident Overview panel is displayed on the right. On the incident overview panel, you can view the incident severity, status, and owner. You can change the incident severity and status from the Incident Severity and Status drop-down lists. On the Incident Overview panel, you can view incident handling suggestions, basic information, and associated information (including associated threat indicators, alerts, incidents, and attack information). To view incident details, click Incident Details in the lower right corner of the incident overview panel. The incident details page is displayed. On the details page, you can view the incident timeline and attack information in addition to the information on the overview page. For example, you can view the first occurrence time of an incident, detection time, and attack process ID. On the incident overview or details page, you can associate or disassociate alerts, incidents, and indicators and view information about affected resources.

Related Operations

• Adding and Editing an Incident
• Importing and Exporting Incidents
• Closing and Deleting an Incident