Skip to main content
Version: 6.0

Incident Card Overview

The article describes the structure and capabilities of the incident card.

General Description

The data in the card is divided into several sections (blocks). Below is a card with all possible blocks: General Screen

Next is a detailed breakdown of each block.

Main Block and Meta Information

The main block contains:

  • Incident Description
  • Additional Fields - fields from the search query
  • Incident Details - fields from the incident card

If Integration with Inventory Module is configured for incident additional fields, then assets linked to the incident will be displayed in the main block as cards.

For example, below shows the block with main information. In it, you can see the Inventory link by the ID field with two values, and for each of them, the corresponding asset is found:

The Meta Information block contains:

  • incident identifier
  • rule name from which the incident was generated
  • incident creation time
  • related notes - list of notes mentioning this incident

Example of Meta Information block:

Inventory and Mitre ATT&CK Blocks

If Integration with Inventory Module is configured for incident additional fields, then assets linked to the incident will be displayed not only in the main block, but also in the Inventory block - also as cards:

The Mitre ATT&CK block contains data about the linked mitre object, if there is one:

This block represents a table that is empty by default for an incident. By clicking the Add button, data from another incident can be written to this table. Adding is done by identifier.

Related Incidents Table

Incident linking occurs in both directions: the linked incident will also have a link to the incident it is linked to.

If this function is not needed, it can be disabled in the Module Settings section by turning off setting for the Related Incidents type:

History Block

The incident history contains information about status changes or field modifications during editing, added comments, and results of executed active actions:

History Block in Incident Manager

To change the incident status, you need to click on the status button and select the desired transition from the dropdown list.

Also, files can be attached to an incident. This can be done either through the history block, or through the comment text editor, as well as through bulk incident editing.

When adding through the text editor, files can be added using the cntlr+v key combination. File names will be rendered in the comment text, and images will be displayed both in the history block, and in the Comment column, where the last comment to the incident is displayed.

img_2.png

Incident Manager module can be configured in the Module Settings - Incident Manager - File Storage section.

Filters

Filters are located at the top of the history block, allowing you to choose which data will be displayed:

Events — shows which fields or statuses were changed.

History Block filtered by Events

Comments — displays added comments.

History Block filtered by Comments

Active Actions — allows viewing results of executed active actions (scripts).

History Block filtered by Active Actions

By default, all filters are turned off, and all actions are displayed in the block. Filters are not mutually exclusive, so you can use multiple filters simultaneously to select the desired data.

History Block filtered by multiple filters

Next to each filter name, a number is displayed — the count of records hidden under this filter.

Filters

Adding a Comment

Adding a comment is done within the history block. To do this, click on the Add a comment... input field, which is located below the filter row.

Add a comment

After clicking, a text editor for adding a comment will open.

Markdown for adding a comment

The comment text editor has the following functions:

  • Header selection — you can choose header level through the dropdown menu
  • Text formatting — bold, italic, text color, styling (underline, strikethrough, superscript/subscript)
  • Lists — bulleted, numbered
  • Link insertion — allows adding a link to selected text through a dialog box or directly
  • Code blocks — supports inserting code blocks with formatting
  • Tables — creating and editing tables, including inserting, deleting rows and columns

At the bottom of the editor, there is a display mode switcher that allows switching to text editing mode. In this mode, you can manually edit the Markdown text. This allows adding specific markdown markup features not reflected by buttons in the visual editor.