Help Center/ SecMaster/ User Guide/ Security Orchestration/ Objects/ Managing Incident Types
Updated on 2026-05-15 GMT+08:00
View PDF
Share

Managing Incident Types

Scenarios

A data class is required for a playbook and workflow running for security orchestration and response. The playbook is triggered by data objects. A data object is the specific instance of a data class. Common data classes include alerts, incidents, indicators, and vulnerabilities.

This section describes how to manage incident types.

  • Viewing Incident Types: describes how to view existing incident types and their details. For details about built-in incident types, see Built-in Incident Types.
  • Adding an Incident Type: describes how to create custom incident types.
  • Associating an Incident Type with a Layout: describes how to associate a custom incident type with an existing layout. By default, built-in incident types are associated with existing layouts. You cannot customize associated layouts.
  • Editing an Incident Type: describes how to edit a custom incident type. Currently, built-in incident types cannot be edited.
  • Managing Existing Incident Types: describes how to enable, disable, and delete a custom incident type. Built-in incident types are enabled by default. You do not need to manually enable them. Currently, built-in incident types cannot be disabled or deleted.

Notes and Constraints

  • By default, built-in incident types are associated with existing layouts. You cannot customize associated layouts.
  • Built-in incident types are enabled by default and cannot be edited, enabled, disabled, or deleted.
  • After a customized incident type is added, the Type Name, Type ID, and Subtype ID parameters cannot be modified.

Viewing Incident Types

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane, choose Security Orchestration > Objects. On the displayed page, click the Types tab.

    Figure 2 Types tab

  5. On the Types page, click the Incident Types tab.
  6. On the Incident Types tab, view the details about existing incident types. For details about the parameters, see Table 1.

    Table 1 Incident type parameters

    Parameter

    Description

    Type Name

    Name of an incident type

    Sub Type/Sub Type Tag

    Name and tag of an incident subtype.

    Associated Layout

    Layout associated with the incident type.

    Startup Status

    Startup status of an incident type.

    • Enable: The current type has been enabled.
    • Disable: The current type has been disabled.

    SLA

    SLA processing time of an incident type.

    Description

    Description of an incident type.

    Operation

    You can edit and delete incident types. Built-in incident types are enabled by default and cannot be edited, enabled, disabled, or deleted.

Adding an Incident Type

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 3 Workspace management page

  4. In the navigation pane, choose Security Orchestration > Objects. On the displayed page, click the Types tab.

    Figure 4 Types tab

  5. On the Types page, click the Incident Types tab.
  6. On the Incident Types tab, click Add. On the Add Incident Type slide-out panel, set incident type parameters.

    Table 2 Incident type parameters

    Parameter

    Description

    Type Name

    Define a name for the incident type. Naming rules:

    • The name must start with an uppercase letter.
    • Only letters, digits, periods (.), hyphens (-), and underscores (_) are allowed.
    • Periods (.), hyphens (-), underscores (_), and uppercase letters cannot appear consecutively.
    • Each uppercase letter must be followed by a lowercase letter.
    • The name must contain 2 to 64 characters.

    Type Tag

    Enter the incident type tag. Naming rules:

    • The value can consist of multiple words separated by spaces.
    • The value must start with an uppercase letter and end with a lowercase letter.
    • The value consists of letters, and uppercase letters cannot appear consecutively.
    • The value must contain 2 to 64 characters.

    Sub Type

    Enter the subtype of the incident type. Naming rules:

    • The value must start with an uppercase letter.
    • Only letters, digits, periods (.), hyphens (-), and underscores (_) are allowed.
    • Periods (.), hyphens (-), underscores (_), and uppercase letters cannot appear consecutively.
    • Each uppercase letter must be followed by a lowercase letter.
    • The value must contain 2 to 64 characters.

    Sub Type Tag

    Enter the incident subtype tag, for example, SubTypeName. Naming rules:

    • The value can consist of multiple words separated by spaces.
    • The value must start with an uppercase letter and end with a lowercase letter.
    • The value consists of letters, and uppercase letters cannot appear consecutively.
    • The value must contain 2 to 64 characters.

    Startup Status

    Set the startup status of the incident type.

    SLA

    Set the SLA processing time of the incident.

    Description

    Provide a description of the custom incident type.

    After a custom incident type is added, its Type Name, Type ID, and Subtype ID fields cannot be modified.

  7. In the lower right corner of the page, click OK.

    After a new type is added, you can check it in the Type Name area on the Incident Types tab.

Associating an Incident Type with a Layout

By default, built-in incident types are associated with existing layouts. You cannot customize their associated layouts.

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 5 Workspace management page

  4. In the navigation pane, choose Security Orchestration > Objects. On the displayed page, click the Types tab.

    Figure 6 Types tab

  5. On the Types page, click the Incident Types tab.
  6. On the Incident Types tab, select the incident type to be associated with a layout and click Associate Layout in the Operation column of the target type.
  7. In the Associate Layout dialog box, select the target layout and click OK.
  8. After the configuration is complete, go to the Incident Types tab, click the type name, and check its associated layout.

Editing an Incident Type

  • Currently, built-in incident types cannot be edited.
  • After a customized incident type is added, the Type Name, Type ID, and Subtype ID parameters cannot be modified.
  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 7 Workspace management page

  4. In the navigation pane, choose Security Orchestration > Objects. On the displayed page, click the Types tab.

    Figure 8 Types tab

  5. On the Types page, click the Incident Types tab.
  6. In Type Name on the Incident Types tab, click the name of the customized incident type to be edited. Details about the custom incident type are displayed on the right.
  7. On the Incident Types tab, click Edit in the Operation column of the target type to be edited.
  8. In the Edit Incident Type dialog box, edit parameters.

    Table 3 Incident type parameters

    Parameter

    Description

    Type Name

    Name of an incident type, which cannot be modified.

    Type Tag

    Incident type tag, which cannot be modified.

    Sub Type

    Subtype of the incident type. Naming rules:

    • The value must start with an uppercase letter.
    • Only letters, digits, periods (.), hyphens (-), and underscores (_) are allowed.
    • Periods (.), hyphens (-), underscores (_), and uppercase letters cannot appear consecutively.
    • Each uppercase letter must be followed by a lowercase letter.
    • The value must contain 2 to 64 characters.

    Sub Type Tag

    Incident subtype ID, which cannot be modified.

    Startup Status

    Startup status of an incident type.

    SLA

    SLA processing time of the incident.

    Description

    Description of a custom incident type.

  9. In the lower right corner of the page, click OK.
  10. After the modification is complete, click the name of the event type on the Incident Types tab and view the details.

Managing Existing Incident Types

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 9 Workspace management page

  4. In the navigation pane, choose Security Orchestration > Objects. On the displayed page, click the Types tab.

    Figure 10 Types tab

  5. On the Types page, click the Incident Types tab.
  6. On the Incident Types tab, manage incident types.

    • Built-in incident types are enabled by default. You do not need to manually enable them.
    • Currently, built-in incident types cannot be disabled or deleted.
    Table 4 Managing existing incident types

    Operation

    Description

    Enable
    1. On the incident type management tab, select the type to be enabled and click Enable.

      Alternatively, locate the row containing the incident type to be enabled, and click Disable in the Startup Status column.

    2. In the displayed dialog box, click OK.

      If the system displays a message indicating that the operation is successful and the startup status of the target type changes to Enable, the target type is enabled successfully.

    Disable
    1. On the Incident Types tab, select the type to be disabled and click Disable.

      Alternatively, locate the row containing the incident type to be disabled, and click Enable in the Startup Status column.

    2. In the displayed dialog box, click OK.

      If the system displays a message indicating that the operation is successful and the Startup Status of the target type changes to Disable, the target type is disabled successfully.

    Delete
    1. On the incident type management page, select the type to be deleted and click Delete in the Operation column.
    2. Scenario 1: MFA Has Been Configured in IAM

      In the confirmation dialog box displayed, confirm the information, enter the credential authentication information, and click OK.

      The verification method can be a mobile number, an email address, or a virtual MFA. For more information about MFA, see MFA Overview.

      Scenario 2: MFA Is Not Enabled in IAM

      In the confirmation dialog box displayed, confirm the information, click Auto Enter to auto-fill DELETE in the text box below, and click OK.

Parent topic: Objects