The main part of the Incidents section shows a table containing information about registered incidents. If required, you can change the set of columns and the order in which they are displayed in the table.
Click the icon in the top right corner of the incidents table.
The table customization window opens.
Select the check boxes opposite the settings that you want to view in the table.
When you select a check box, the events table is updated and a new column is added. When a check box is cleared, the column disappears.
You can search for table parameters using the Search field.
By pressing the Default button, the following columns are selected for display:
Name.
Threat duration.
Assigned.
Created.
Tenant.
Status.
Hits count.
Priority.
Affected asset categories.
Change the display order of the columns as needed by dragging the column headings.
If you want to sort the incidents by a specific column, click its title and select one of the available options in the drop-down list: Ascending or Descending.
To filter incidents by a specific parameter, click on the column header and select the required filters from the drop-down list. The set of filters available in the drop-down list depends on the selected column.
To remove filters, click the relevant column heading and select Clear filter.
Available columns of the incidents table:
Name—the name of the incident.
Threat duration—the time span during which the incident occurred (the time between the first and the last event related to the incident).
Assigned to—the name of the security officer to whom the incident was assigned for investigation or response.
Created—the date and time when the incident was created. This column allows you to filter incidents by the time they were created.
The following preset periods are available: Today, Yesterday, This week, Previous week.
If required, you can set an arbitrary period by using the calendar that opens when you select Before date, After date, or In period.
Tenant—the name of the tenant that owns the incident.
Status—current status of the incident:
Opened—new incident that has not been processed yet.
Assigned—the incident has been processed and assigned to a security officer for investigation or response.
Closed—the incident is closed; the security threat has been resolved.
Alerts number—the number of alerts included in the incident. Only the alerts of those tenants to which you have access are taken into account.
Priority shows how important a possible security threat is: Critical , High , Medium , Low .
Affected asset categories—categories of alert-related assets with the highest severity. No more than three categories are displayed.
Updated—the date and time of the last change made in the incident.
First event and Last event—dates and times of the first and last events in the incident.
Export to NCIRCC—the status of incident data export to NCIRCC:
Not exported—the data was not forwarded to NCIRCC.
Export failed—an attempt to forward data to NCIRCC ended with an error, and the data was not transmitted.
Exported—data on the incident has been successfully transmitted to NCIRCC.
Branch—data on the specific node where the incident was created. Incidents of your node are displayed by default. This column is displayed only when hierarchy mode is enabled.
CII—an indication of whether the incident involves assets that are CII objects. The column is hidden from the users who do not have access to CII objects.
In the Search field, you can enter a regular expression for searching incidents based on their related assets, users, tenants, and correlation rules. Parameters that can be used for a search:
Assets: name, FQDN, IP address.
Active Directory accounts: attributes displayName, SAMAccountName, and UserPrincipalName.
Correlation rules: name.
KUMA users who were assigned alerts: name, login, email address.
Tenants: name.
When filtering incidents based on a specific parameter, the corresponding column in the incidents table is highlighted in yellow.