Importing and Exporting Incidents
This section describes how to import incidents.
Limitations and Constraints
Only .xlsx files no larger than 20 MB can be imported.
Importing Incidents
- Log in to the management console.
- Click in the upper left corner of the page and choose .
- In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Management
- In the navigation pane on the left, choose Threat Operations > Incidents.
Figure 2 Incidents
- On the Incidents page, click Import in the upper left corner above the incident list.
- In the displayed Import dialog box, click Download Template to download a template, and fill in the downloaded template according to the requirements.
- After the template is filled, click Add File in the Import Incident dialog box and select the Excel file you want to import.
- Fill in information about incidents to be imported based on the template. For details, see Parameters in the Incident Template.
- The file must be in the .xlsx format.
- Click OK.
Parameters in the Incident Template
Import incidents based on the template requirements. For details about the parameters, see Table 1.
Parameter |
Type |
Mandatory |
Description |
---|---|---|---|
extend_properties |
Object |
No |
Extended properties of the incident. |
ttr |
Int |
No |
Response time of the incident. |
ttd |
Int |
No |
Time when the incident is detected. |
ref_order_id |
String |
No |
Service ID (service ticket ID) of the incident. The value contains a maximum of 128 characters. |
region_id |
String |
Yes |
Region ID of the tenant to which the incident object belongs. |
domain_id |
String |
Yes |
Domain ID of the tenant to which the incident object belongs. |
origin_id |
String |
No |
Origin ID of the incident. The value contains a maximum of 128 characters. |
file_info |
List<object> |
No |
File information. |
user_info |
List<object> |
No |
User information. |
process |
List<object> |
No |
Process information. |
incident_type |
Object |
Yes |
Incident type. Example: {"incident_type":"demo","id":"demo"} |
network_list |
List[Object] |
No |
Network information. |
resource_list |
List[Object] |
No |
Affected resources. |
malware |
Object |
No |
Malware. |
system_info |
Object |
No |
System information. |
data_source |
Object |
Yes |
Data source. Example: {"REGION_ID":"demo","product_feature":"demo","project_id":"demo","product_module":"demo","company_name":"demo","DOMAIN_ID":"demo","source_type":445428683,"product_name":"demo"} |
remediation |
Object |
No |
Remediation measures. |
is_deleted |
Boolean |
No |
Whether to delete the incident. |
environment |
Object |
Yes |
Coordinates of the environment where the incident is generated. |
workspace_id |
String |
Yes |
ID of the workspace to which the incident object belongs. |
sla |
Int |
No |
SLA for closing the incident, in hours. This parameter sets the duration in which risks can be accepted. |
close_time |
Timestamp |
No |
Closing time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was closed. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
owner |
String |
No |
Owner and service owner. |
close_comment |
String |
No |
Comment for the closure. |
count |
Int |
Yes |
Incident occurrences. |
close_reason |
String |
No |
Closure reason. The value can be:
|
handle_status |
String |
Yes |
Incident processing status. The value can be:
The default value is Open. |
update_time |
Timestamp |
No |
Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was updated. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
create_time |
Timestamp |
Yes |
Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was recorded. If this parameter cannot be parsed, the default time zone GMT+8 is used. Example: 2023-04-13T10:36:20.580Z+0800 |
first_observed_time |
Timestamp |
Yes |
First occurrence time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
arrive_time |
Timestamp |
Yes |
Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was received. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
last_observed_time |
Timestamp |
No |
Latest occurrence time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident recently occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
description |
String |
Yes |
Incident description. The value contains a maximum of 1024 characters. |
ipdrr_phase |
String |
No |
Period/Phase number. |
title |
String |
Yes |
Incident name. The value contains a maximum of 255 characters. |
confidence |
Int |
No |
Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or event. Value range: 0–100
|
verification_state |
String |
Yes |
Verification status, used to identify the accuracy of the incident.
The default value is Unknown. |
version |
String |
Yes |
Version of the incident object. |
actor |
String |
No |
Incident investigator. |
creator |
String |
No |
Creator. |
simulation |
Boolean |
No |
Debugging field. |
severity |
String |
Yes |
Incident level. The value can be:
|
criticality |
Int |
No |
Importance level of the resource involved in the incident. Value range: 0–100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical. |
source_url |
String |
No |
Incident URL, which points to the page of the current incident description in the data source product. |
id |
String |
Yes |
Unique identifier of the incident. The value is in the UUID format and contains a maximum of 36 characters. |
labels |
String |
No |
Labels. |
Exporting Incidents
- Log in to the management console.
- Click in the upper left corner of the page and choose .
- In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 3 Management
- In the navigation pane on the left, choose Threat Operations > Incidents.
Figure 4 Incidents
- On the Incidents page, select the incidents to be exported and click in the upper right corner of the list. The Export dialog box is displayed.
- In the Export dialog box, set parameters.
Table 2 Exporting incidents Parameter
Description
Format
By default, the incident list is exported into an Excel.
Columns
Select the parameters to be exported.
- Click OK.
The system automatically downloads the Excel to your local PC.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot