For convenience of processing incidents, make sure that time is synchronized on all devices involved in the event life cycle (event sources, KUMA servers, client hosts) with the help of Network Time Protocol (NTP) servers.
You can assign an incident to a user, aggregate it with other incidents, or close it.
To process an incident:
Select required incidents using one of the methods below:
In the Incidents section of the KUMA web interface, click on the incident to be processed.
The incident window will open, displaying a toolbar on the top.
In the Incidents section of the KUMA web console, select the check box next to the required incidents.
A toolbar will appear at the bottom of the window.
In the Assign to drop-down list, select the user to whom you want to assign the incident.
You can assign the incident to yourself by selecting Me.
The status of the incident changes to assigned and the name of the selected user is displayed in the Assign to drop-down list.
In the Related users section, select a user and configure Active Directory response settings.
After the related user is selected, in the Account details window that opens, click Response via Active Directory.
In the AD command drop-down list, select one of the following values:
The Active Directory group to move the account from or to. In the mandatory field Distinguished name, you must specify the full path to the group. For example, CN = HQ Team, OU = Groups, OU = ExchangeObjects, DC = avp, DC = ru. Only one group can be specified within one operation.
The Active Directory group to move the account from or to. In the mandatory field Distinguished name, you must specify the full path to the group. For example, CN = HQ Team, OU = Groups, OU = ExchangeObjects, DC = avp, DC = ru. Only one group can be specified within one operation.
confirmed. This means the incident was valid and appropriate measures were taken to eliminate the security threat.
not confirmed. This means the incident was a false positive and the received events do not indicate a security threat.
Click Close.
The Closed status will be assigned to the incident. Incidents with this status cannot be edited, and they are displayed in the incidents table only if you selected the Closed check box in the Status drop-down list when filtering the table. You cannot change the status of a closed incident or assign it to another user, but you can aggregate it with another incident.
If requited, aggregate the selected incidents with another incident:
Click Merge. In the opened window, select the incident in which all data from the selected incidents should be placed.