Skip to main content
Version: 5.3

Incident Manager

General Description

The Incident Manager module is designed to register security incidents and provides convenient work with them. The module allows classifying events by severity level and ensures full incident management cycle.

An incident is an event detected as a result of correlation search and containing deviations from normal activity indicators. For example, an incident may be a sudden surge in network activity during a specified time period.

Each incident is assigned a severity level — a threat degree indicator that helps determine the urgency and order of response to the event. Standard severity levels in Incident Manager are Normal, Warning, Critical, and Information.

To adapt the module to specific monitoring tasks, Incident Manager provides tools for flexible configuration of incident field composition through the incident card interface. In addition to using standard system attributes, it is possible to create custom fields of various types — from simple text and numeric fields to elements with Markdown markup support.

Support for dynamic filters and token system allows automating incident field population based on search queries and building logical dependencies between fields. Such deep customization ensures complete context during investigation and allows bringing the incident structure in line with security regulations.

Functional Capabilities

The Incident Manager interface allows:

  • performing search for incidents with flexible filter settings
  • editing incidents, for example, changing their status, severity level and assigning responsible persons
  • creating incidents manually with necessary parameters
  • viewing incident details and change history
  • grouping similar incidents and building statistics for incidents in a group
  • performing active actions when transferring incidents between statuses
  • performing active actions at the user's initiative for individual incidents or groups of incidents

The Incident Manager module interface is presented in the image below:

Incident manager interface

Workflow. Active Actions

The foundation of the incident lifecycle is the Workflow, implementing a clear scheme for incident processing — from creation to completion, including all possible statuses, transition rules between them and role restrictions for these operations. Smart Monitor supports simultaneous existence of multiple workflows that can be automatically assigned to new incidents according to their creation rules.

An example of a workflow in the form of a graph is presented below:

Workflow

When changing the incident status, Active Actions can be performed — operations for automated incident response, such as sending notifications or assigning responsible persons.