Viewing the incident table
The incident table is displayed in the Monitoring & reporting → Incidents section and provides an overview of all created incidents. By default, the table displays the incidents related to all of the tenants to which you have access rights. If necessary, you can configure the incident table.
To configure the incident table, do any of the following:
- Apply tenant filter:
- Click the link next to the Tenant filter setting.
The tenant filter opens.
- Select the check boxes next to the required tenants.
- Click the link next to the Tenant filter setting.
- Filter the data of the alerts table:
- Click the filter (
) icon. - On the Filters tab, specify and apply the filter criterion in the invoked menu.
- Click the filter (
- If you want to hide or display a column, click the settings (
) icon, and then select the necessary column.
The incident table is configured and displays the data you need.
The incident table has the following columns:
- Created. Date and time when the incident was created.
- Threat duration. Time between the earliest and the most recent events among all of the alerts linked to the incident.
- Updated. Date and time of the last change, from the incident history.
- Incident ID. A unique identifier of an incident.
- Status. Current status of the incident.
- Time to triage. The time limit to accept the incident, in days, hours and minutes.
- Time spent to respond. The time limit for initial response to the incident, in days, hours and minutes.
- Time to resolve. The time limit to resolve the incident, in days, hours and minutes.
- Status changed. The date and time when the incident status has been changed.
- Severity. Severity of the incident.
- Priority. Priority of the incident.
- Linked alerts. How many alerts are included in the incident.
- Name. A name of an incident.
- Rules. The rules that were triggered to create the incident.
- Affected assets. Devices and users that were affected by the incident. If the number of assets affected by or involved in the incident is greater than or equal to three, the number of affected devices is displayed.
- Tenant. The name of the tenant in which the incident was detected.
- Assignee. Current assignee of the incident.
- Has parent incident. Displays whether the incident has a parent incident. If the Yes value is displayed, then the incident is a child incident.
- Status of child incidents. Resulting status of first-level child incidents. Possible values: Closed, In progress, No child incidents.
- Creation method. How the incident was created—manually or automatically.
- Observables. Number of the detection artifacts, for example, IP addresses or MD5 hashes of files. If the number of observables is greater than or equal to three, the number of observables is displayed.
If necessary, you can export information about all incidents displayed in the incident table to a JSON file.