Viewing information about an incident

To view information about an incident:

1. In the program web interface window, select the Incidents section.
2. Select the incident whose information you want to view.

This opens a window containing information about the incident.

Some incident parameters are editable.

In the upper part of the Incident details window, there is a toolbar and the name of the user to whom the incident is assigned. The window sections are displayed as tabs. You can click a tab to move to the relevant section. In this window, you can process the incident: assign it to a user, combine it with another incident, or close it.

The Description section contains the following data:

• Created—the date and time when the incident was created.
• Name—the name of the incident.

  You can change the name of an incident by entering a new name in the field and clicking Save The name must contain 1 to 128 Unicode characters.

• Tenant—the name of the tenant that owns the incident.

  The tenant can be changed by selecting the required tenant from the drop-down list and clicking Save

• Status—current status of the incident:
  • Opened—new incident that has not been processed yet.
  • Assigned—the incident has been processed and assigned to a security officer for investigation or response.
  • Closed—the incident is closed; the security threat has been resolved.
• Priority—the severity of the threat posed by the incident. Possible values:
  • Critical
  • High
  • Medium
  • Low

  Priority can be changed by selecting the required value from the drop-down list and clicking Save.

• Affected asset categories—the assigned categories of assets associated with the incident.
• First event time and Last event time—dates and times of the first and last events in the incident.
• Type and Category—type and category of the threat assigned to the incident. You can change these values by selecting the relevant value from the drop-down list and clicking Save.
• Export to NCIRCC—information on whether or not this incident was exported to NCIRCC.
• Description—description of the incident.

  To change the description, edit the text in the field and click Save. The description can contain no more than 256 Unicode characters.

• Related tenants—tenants associated with incident-related alerts, assets, and users.
• Available tenants—tenants whose alerts can be linked to the incident automatically.

  The list of available tenants can be changed by checking the boxes next to the required tenants in the drop-down list and clicking Save.

The Related alerts section contains a table of alerts related to the incident. When you click on the alert name, a window opens with detailed information about this alert.

The Related endpoints and Related users sections contain tables with data on assets and users related to the incident. This information comes from alerts that are related to the incident.

You can add data to the tables in the Related alerts, Related endpoints and Related users sections by clicking the Link button in the appropriate section and selecting the object to be linked to the incident in the opened window. If required, you can unlink objects from the incident. To do this, select the objects as required, click Unlink in the section to which they belong, and save the changes. If objects were automatically added to the incident, they cannot be unlinked until the alert mentioning those objects is unlinked. The composition of the fields in the tables can be changed by clicking the button in the relevant section. You can search the data in the tables of these sections using the Search fields.

The Change log section contains a record of the changes you and your users made to the incident. Changes are automatically logged, but it is also possible to add comments manually.

In the NCIRCC integration section, you can monitor the incident status in NCIRCC. In this section, you can also export incident data to NCIRCC, send files to NCIRCC, and exchange messages with NCIRCC experts.

If incident settings have been modified on the NCIRCC side, a corresponding notification is displayed in the incident window in KUMA. In this case, for the settings whose values were modified, the window displays the values from KUMA and the values from NCIRCC.