Incidents node
Show all | Hide all
This node lets you view and process incidents.
The incident filter is located in the upper part of the workspace. You can use the filter to locate incidents with specific parameters and display them in the table.
Add a condition
Clicking this button causes a row with fields for defining a new filter condition to be added to the filter. After the row has been added, fill out the fields for a new condition. Filtering conditions are combined using the "AND" logical operator.
You can remove a condition from the filter by clicking the 
button located in the right part of the row.
When filter conditions are added or removed, the changes are not applied automatically. To apply the changes, click the Search button.
Search
Clicking this button causes the application to display incidents that meet the filtering conditions in the list.
View
Clicking the button opens the Incident details window that lets you view detailed information about the selected incident and its history, as well as change the incident status.
The button is active when one incident is selected in the list.
Change status
This changes the status of one, several, or all incidents shown in the list.
Clicking this button opens a menu with the following items:
- Selected incidents. When this item is selected, a window opens letting you change the status of incidents selected in the list.
- All incidents. When this item is selected, a window opens letting you change the status of all incidents displayed in the list. The status of incidents that are hidden according to the filtering conditions is not changed.
Refresh
This button lets you refresh the content of the incident list. The list of incidents is not refreshed automatically.
Select columns
This button lets you change the set of table columns displayed.
Clicking this button opens a window with a list of available table columns. You can change the set of columns shown in the table by selecting or clearing check boxes opposite the column names.
A table with the list of incidents is displayed under the incident filter. The list of incidents appears one page at a time. The first page of the incident list displays the latest incidents.
This table lets you view the details of each incident, change incident status, perform incident archiving and recover incidents from the archive.
It is recommended not to store a large number of incidents in the list. You are advised to archive processed incidents once the number of incidents in the list reaches 100,000. The application does not support incident processing with more than 300,000 incidents in the list.
Table of incidents
This table lists incidents that may include new incidents, incidents in progress, processed incidents, and incidents restored from the archive. This list does not include archived incidents.
The table contains the following columns:
- No. A sequential number assigned to an incident when it is created.
- Status. Incident status. Incident status reflects the stage of incident processing. For example: New – the incident has been generated but has not been processed yet; Closed (processed) – the incident investigation has been completed, and the required actions have been taken.
- Subject. The content of the "Subject" field of the message that caused the application to generate an incident during scanning.
- Sender. The content of the "From" field of the message that caused the application to generate an incident during scanning.
- Recipients. Addresses of all recipients specified in the "To", "CC", and "BCC" fields in the header of the message that caused the application to generate an incident during scanning.
- Date. The date and time of incident generation. Displayed in the format defined in the regional settings of the computer.
- Category. The name of the data category based on which the incident has been generated.
- Policy. The name of the policy that was violated and based on which the incident has been generated.
- Priority. The priority assigned to the incident when it was generated (Low, Medium or High). The priority reflects the urgency with which the incident has to be processed. The priority is assigned based on the value specified in the settings of the policy that has been violated.
- Action. The action performed on the message (Skipped, Deleted). The action to be taken on the message is specified in the policy.
- Violations. The number of message text fragments that caused a policy violation.
- Message ID. Unique ID of message. The content of the "Message-ID" field of the message header.
- Server name. The name of the mail server on which the incident was generated.
- Manager. The name of the account of the sender's manager. If information about the manager's account is unavailable, the field contains the “n/a” value.
By default, the table displays all of the columns, except for Message ID, Server name, and Manager. You can change the set of columns by clicking the Select columns button. The No column is always displayed.
You can change the order in which columns appear by dragging their headers with the mouse pointer.
You can sort the table contents in ascending or descending order by left-clicking the column headers.
Buttons under the table
Buttons in the bottom right corner of the workspace for navigating the list of incidents in the table.
The buttons with double arrows take you to the first and last pages of the list, respectively.
The single-arrow buttons serve for viewing one list page at a time.
The entry field lets you enter the number of the list page that you want to go to.
Archive
Clicking this button starts the Incident Archiving Wizard. The Incident Archiving Wizard lets you move the selected incidents to an archive.
Restore
Clicking this button starts the Incident Recovery Wizard.
Delete archived
Clicking this button causes archived incidents that have been restored to the list of incidents to be removed from the list of incidents.