Help Center> SecMaster> User Guide (ME-Abu Dhabi Region)> Threat Operations> Incident Management> Importing and Exporting Incidents
Updated on 2023-10-31 GMT+08:00
View PDF

Importing and Exporting Incidents

This section describes how to import incidents.

Limitations and Constraints

Only .xlsx files no larger than 20 MB can be imported.

Importing Incidents

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Management

  4. In the navigation pane on the left, choose Threat Operations > Incidents.

    Figure 2 Incidents

  5. On the Incidents page, click Import in the upper left corner above the incident list.
  6. In the displayed Import dialog box, click Download Template to download a template, and fill in the downloaded template according to the requirements.
  7. After the template is filled, click Add File in the Import Incident dialog box and select the Excel file you want to import.

  8. Click OK.

Parameters in the Incident Template

Import incidents based on the template requirements. For details about the parameters, see Table 1.

Table 1 Parameters in the incident template

Parameter

Type

Mandatory

Description

extend_properties

Object

No

Extended properties of the incident.

ttr

Int

No

Response time of the incident.

ttd

Int

No

Time when the incident is detected.

ref_order_id

String

No

Service ID (service ticket ID) of the incident. The value contains a maximum of 128 characters.

region_id

String

Yes

Region ID of the tenant to which the incident object belongs.

domain_id

String

Yes

Domain ID of the tenant to which the incident object belongs.

origin_id

String

No

Origin ID of the incident. The value contains a maximum of 128 characters.

file_info

List<object>

No

File information.

user_info

List<object>

No

User information.

process

List<object>

No

Process information.

incident_type

Object

Yes

Incident type. Example:

{"incident_type":"demo","id":"demo"}

network_list

List[Object]

No

Network information.

resource_list

List[Object]

No

Affected resources.

malware

Object

No

Malware.

system_info

Object

No

System information.

data_source

Object

Yes

Data source. Example:

{"REGION_ID":"demo","product_feature":"demo","project_id":"demo","product_module":"demo","company_name":"demo","DOMAIN_ID":"demo","source_type":445428683,"product_name":"demo"}

remediation

Object

No

Remediation measures.

is_deleted

Boolean

No

Whether to delete the incident.

environment

Object

Yes

Coordinates of the environment where the incident is generated.

workspace_id

String

Yes

ID of the workspace to which the incident object belongs.

sla

Int

No

SLA for closing the incident, in hours. This parameter sets the duration in which risks can be accepted.

close_time

Timestamp

No

Closing time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was closed. If this parameter cannot be parsed, the default time zone GMT+8 is used.

owner

String

No

Owner and service owner.

close_comment

String

No

Comment for the closure.

count

Int

Yes

Incident occurrences.

close_reason

String

No

Closure reason. The value can be:

  • False detection
  • Resolved
  • Repeated
  • Other

handle_status

String

Yes

Incident processing status. The value can be:

  • Open: opened
  • Block: blocked
  • Closed: closed

The default value is Open.

update_time

Timestamp

No

Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was updated. If this parameter cannot be parsed, the default time zone GMT+8 is used.

create_time

Timestamp

Yes

Recording time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was recorded. If this parameter cannot be parsed, the default time zone GMT+8 is used. Example: 2023-04-13T10:36:20.580Z+0800

first_observed_time

Timestamp

Yes

First occurrence time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

arrive_time

Timestamp

Yes

Receiving time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident was received. If this parameter cannot be parsed, the default time zone GMT+8 is used.

last_observed_time

Timestamp

No

Latest occurrence time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the incident recently occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.

description

String

Yes

Incident description. The value contains a maximum of 1024 characters.

ipdrr_phase

String

No

Period/Phase number.

title

String

Yes

Incident name. The value contains a maximum of 255 characters.

confidence

Int

No

Incident confidence. Confidence is used to illustrate the accuracy of an identified behavior or event.

Value range: 0–100

  • 0: The incident confidence is 0%.
  • 100: The incident confidence is 100%.

verification_state

String

Yes

Verification status, used to identify the accuracy of the incident.

  • Unknown: The status is unknown.
  • True_Positive: The status is confirmed.
  • False_Positive: The status is false positive.

The default value is Unknown.

version

String

Yes

Version of the incident object.

actor

String

No

Incident investigator.

creator

String

No

Creator.

simulation

Boolean

No

Debugging field.

severity

String

Yes

Incident level. The value can be:

  • Tips: No threat is found.
  • Low: No operation is required for the threat.
  • Medium: The threat needs to be handled but is not urgent.
  • High: The threat must be handled preferentially.
  • Fatal: The threat must be handled immediately to prevent further damage.

criticality

Int

No

Importance level of the resource involved in the incident.

Value range: 0–100. 0 indicates that the resource is not critical, and 100 indicates that the resource is critical.

source_url

String

No

Incident URL, which points to the page of the current incident description in the data source product.

id

String

Yes

Unique identifier of the incident. The value is in the UUID format and contains a maximum of 36 characters.

labels

String

No

Labels.

Exporting Incidents

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 3 Management

  4. In the navigation pane on the left, choose Threat Operations > Incidents.

    Figure 4 Incidents

  5. On the Incidents page, select the incidents to be exported and click in the upper right corner of the list. The Export dialog box is displayed.
  6. In the Export dialog box, set parameters.

    Table 2 Exporting incidents

    Parameter

    Description

    Format

    By default, the incident list is exported into an Excel.

    Columns

    Select the parameters to be exported.

  7. Click OK.

    The system automatically downloads the Excel to your local PC.

Parent topic: Incident Management