Managing incidents
May 15, 2024
ID 88296
An incident is a record about an application event associated with a possible data leak. Kaspersky Security generates incidents in the following cases:
- When a policy is violated
- While searching SharePoint for data
Each incident contains detailed information about incident-related files and users and the reason why the incident has been generated. This information is needed to analyze and investigate possible data leaks.
The incident workflow process is regulated by job descriptions of security officers and may vary depending on the incident workflow regulations adopted within an organization.
Managing the incident workflow process
The incident workflow process can be managed as follows:
- Using incident statuses
The incident status is information about the current incident status. The incident status can be changed at any time. Information about the incident status change and the author of changes is saved in the incident history.
The application lets you change the status of several incidents at once.
- Using comments
Comments may contain information about the reasons for incident status changes and about an investigation of the circumstances under which the incident occurred.
Incident comments can be added while changing the incident status or viewing the incident history.
Selecting incidents to manage
The application adds all incidents that have been generated to the list of incidents in the Incidents node. You can change the appearance of the incident list by changing the incident information displayed in the table.
The application automatically assigns the New status to an incident when it is generated. New incidents available for processing can be displayed by refreshing the incident list.
You can use the incident filter to search for incidents according to specific criteria (such as incidents related to a specific user). You can use the search for similar incidents to handle similar incidents, i.e., those who share identical data.
Viewing incident details and processing incidents
You can start managing new incidents by viewing the incident details.
Incidents assigned for processing must have their status changed to In progress. If the company has several security officers, this will help them to coordinate their workflows.
To make a decision on an incident, you have to look at the context of the policy violation. The violation context is displayed in the incident details window. The violation context contains all text fragments that contain data indicating the violation. Keywords or table data in each fragment are highlighted in red. If the context of the violation is insufficient to make a decision on an incident, you can open the incident-related file on SharePoint.
When you point the mouse pointer on a text fragment that indicates a violation, a tooltip with the name of the data subcategory appears next to the pointer (see the figure below). A subcategory is a nested, embedded data category included in a larger category. The subcategory name helps to define more accurately the area of the category to which data belongs.
The subcategory name is displayed in a pop-up hint
You can add the web address of the file associated with the incident to exclusions. This helps you to reduce the number of false positive incidents generated when scanning template-based documents (such as uniform contracts or statements). The application adds the web address of a file to exclusions as follows:
- If the incident has been created due to a policy violation, the web address will be added to the policy's exclusions. The application will not control the uploading of files by users to that web address.
- If the incident has been created when running the search task, the web address will be added to the search task's exclusions. The application will not scan files located on that web address.
If the incident was generated while running a search task of Kaspersky Security 9.0 , you cannot add the file's web address to exclusions for the search task.
If you need to export incident information to prepare an official memo, you can copy the incident details to clipboard.
Finishing incident management
Following analysis of incident information, an incident can be assigned one of the following statuses:
- Closed (processed), if incident processing has been completed.
- Closed (false positive), if the policy violation was a false positive (e.g., a mistake was made while configuring the policy).
- Closed (not an incident), if the policy violation was admissible as an exclusion.
- Closed (other) in any other cases.
After finishing incident processing, you can remove them from the list of incidents by archiving them.
You are advised to perform archiving of incidents once the number of incidents exceeds 100,000. Kaspersky Security can be unstable when the number of incidents increases to 300,000.
Restoring incidents
You can consult archived incidents, if necessary, by restoring incidents. The application automatically assigns Archival status to all restored incidents.
After you finish processing these incidents, you can remove them from the list.
