Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

User guide

Analytics

Working with incidents

About the incidents table

Kaspersky Unified Monitoring and Analysis Platform
Нет результатов
Knowledge Base Online Help
FAQ Solution overview Forum Contact support Product videos

About the incidents table

April 8, 2024

ID 220214

Get as PDF

The main part of the Incidents section shows a table containing information about registered incidents. If required, you can change the set of columns and the order in which they are displayed in the table.

How to customize the incidents table

Available columns of the incidents table:

  • Name—the name of the incident.
  • Threat duration—the time span during which the incident occurred (the time between the first and the last event related to the incident).
  • Assigned to—the name of the security officer to whom the incident was assigned for investigation or response.
  • Created—the date and time when the incident was created. This column allows you to filter incidents by the time they were created.
    • The following preset periods are available: Today, Yesterday, This week, Previous week.
    • If required, you can set an arbitrary period by using the calendar that opens when you select Before date, After date, or In period.
  • Tenant—the name of the tenant that owns the incident.
  • Status—current status of the incident:
    • Opened—new incident that has not been processed yet.
    • Assigned—the incident has been processed and assigned to a security officer for investigation or response.
    • Closed—the incident is closed; the security threat has been resolved.
  • Alerts number—the number of alerts included in the incident. Only the alerts of those tenants to which you have access are taken into account.
  • Priority shows how important a possible security threat is: Critical priority-critical, High priority-high, Medium priority-medium, Low priority-low.
  • Affected asset categories—categories of alert-related assets with the highest severity. No more than three categories are displayed.
  • Updated—the date and time of the last change made in the incident.
  • First event and Last event—dates and times of the first and last events in the incident.
  • Incident category and Incident typecategory and type of threat assigned to the incident.
  • Export to NCIRCC—the status of incident data export to NCIRCC:
    • Not exported—the data was not forwarded to NCIRCC.
    • Export failed—an attempt to forward data to NCIRCC ended with an error, and the data was not transmitted.
    • Exported—data on the incident has been successfully transmitted to NCIRCC.
  • Branch—data on the specific node where the incident was created. Incidents of your node are displayed by default. This column is displayed only when hierarchy mode is enabled.
  • CII—an indication of whether the incident involves assets that are CII objects. The column is hidden from the users who do not have access to CII objects.

In the Search field, you can enter a regular expression for searching incidents based on their related assets, users, tenants, and correlation rules. Parameters that can be used for a search:

  • Assets: name, FQDN, IP address.
  • Active Directory accounts: attributes displayName, SAMAccountName, and UserPrincipalName.
  • Correlation rules: name.
  • KUMA users who were assigned alerts: name, login, email address.
  • Tenants: name.

When filtering incidents based on a specific parameter, the corresponding column in the incidents table is highlighted in yellow.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.