Skip to main content
Version: 5.3

Incident

An incident is an event detected as a result of correlation search and containing abnormal activity indicators.

In Smart Monitor, there are two options for creating incidents: manually in the Incident Manager interface or using the active action Create Incident in Task Scheduler.

Incident Field Description

The composition of incident fields is configured in the incident card. By default, the incident entity is characterized by the following main fields:

Date and Time:

  • Date and time when the incident occurred

Severity:

  • Threat level indicator of the incident. Displayed as a circular icon of a specific color

Examples of values:

  • Normal: 🟢 Green
  • Information: 🔵 Blue
  • Warning: 🟡 Yellow
  • Critical: 🔴 Red
Information

You can configure your own severity levels in the Incident Manager module settings.

Incident:

  • Brief description of the event that caused the incident

Status:

  • Current incident status reflecting its state in the process. The list of statuses for incidents and transition rules between them are configured in the Workflow

Examples of values:

  • New - new incident received by Incident Manager, work with the incident has not started
  • In Progress - incident taken for work
  • Verification - agreement process for works required to eliminate the incident/is in the process of agreeing on the possibility of closing the incident after its elimination
  • Rejected - incident postponed until the reason for rejection is eliminated
  • Closed - works for eliminating the incident are completed, incident closed by agreement

Responsible:

  • Employee or group of employees responsible for eliminating the incident.
Please note!

A history of work with each incident is available, where you can track the entire list of status changes, field values, as well as comments left.

Incident card

Typical Incident Examples

Working with incidents in the Incident Manager module allows prompt response and application of various actions to emerging security events.

For example, an incident could be the detection of a potentially malicious shell script.

The image below shows an incident with the highest severity level Critical.

Alert incident

The system recorded an attempt to obtain configuration data of the SplunkForwarder service by user AndreevSA on workstation EKB-WS396. The user used system WMI tools and command line to execute the query write.service.SplunkForwarder get Pathname.

After taking it for work, this incident can be transferred to statuses Close, Cancel, marked as False Positive or Block User.