Viewing Incidents
Scenario
An incident is a broad concept. It can include but is not limited to alerts. It can be a part of normal system operations, exceptions, or errors. In the O&M and security fields, an incident usually refers to a problem or fault that has occurred and needs to be focused on, investigated, and handled. An incident may be triggered by one or more alerts or other factors, such as user operations and system logs.
An incident is usually used to record and report historical activities in a system for analysis and audits.
On the Incidents page in SecMaster, you can check the incident list for the last 360 days. The list contains incident names, types, severity levels, and occurrence time. By customizing filtering conditions, such as the incident name, risk severity, and time, you can quickly query information about the specific incident.
This topic describes how to view incident information.
Procedure
- Log in to the management console.
- Click in the upper part of the page and choose Security > SecMaster.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
- In the navigation pane on the left, choose .
- On the Incidents page, view incident details.
Figure 1 Viewing incidents
Table 1 Viewing an Incident Parameter
Description
Unhandled Incidents
This area displays how many incidents that are not handled within the specified time range in the current workspace. The unhandled incidents are displayed by severity.
Auto (Incidents Handled Automatically)
This area displays how many incidents that are handled automatically by playbooks within the specified time range in the current workspace.
Manual Incident (Incidents Handled Manually)
This area displays how many incidents that are handled manually within the specified time range in the current workspace.
Incidents Number (Incidents)
This area displays how many incidents that are reported within the specified time range in the current workspace.
Incident list
The list displays more details about each incident.
You can view the total number of incidents below the incident list. You can view a maximum of 10,000 incident records page by page. To view more than 10,000 records, optimize the filter criteria.
In the incident list, you can view the incident name, severity, source, and status. To obtain overview of an incident, click the incident name. The incident overview panel is displayed on the right.
- On the Incident Overview panel, you can view incident handling suggestions, basic information, and associated information (including associated threat indicators, alerts, incidents, and attack information).
- To view incident details, click Incident Details in the lower right corner of the incident overview panel. The incident details page is displayed.
On the details page, you can view the incident timeline and attack information in addition to the information on the overview page. For example, you can view the first occurrence time of an incident, detection time, and attack process ID.
- On the incident overview or details page, you can change the incident severity and status in the corresponding drop-down list boxes.
- On the incident overview or details page, you can associate or disassociate alerts, incidents, and indicators and view information about affected resources.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot