Adding a status, cause, expert opinion or note to an incident or incident group

Kaspersky MLAD lets you add an expert opinion or note to a registered incident.

An expert opinion is normally added by an expert (process engineer or ICS specialist) and may contain an incident analysis or recommendations on resolving a problem that is indicated by an identified incident. An expert opinion can be added to an individual incident or to a group of incidents. If expert opinions were previously added to incidents that are later put into a group, these opinions will also be displayed in the group (linked to each specific incident). When incidents are regrouped, the expert opinion for an incident migrates together with the incident to the new group.

Notes are intended to aid discussions between experts or operators of facilities regarding recommended actions for analysis, investigation, and remediation of an incident. Each note includes information stating who added the note and when it was added.

You can also add the cause of the incident and the incident status determined by the expert based on the incident analysis results. A status can be assigned to an individual incident or to a group of incidents. When changing the status of a group of incidents, Kaspersky MLAD changes the status of the incidents that are part of this group.

Before adding a cause, status, note or expert opinion, you must conduct an analysis of the registered incident.

To add an expert opinion, status, cause, or note to an incident:

1. In the main menu, select the Incidents section.
2. If necessary, change the incident status by selecting one of the following statuses from the Status drop-down list: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore, or False positive.

   By default, an incident is assigned the Unknown status. If necessary, the system administrator can create, edit, or delete statuses of incidents.

3. To display detailed technical specifications, click the right arrow () next to the relevant incident. In the details area that opens, you can do the following:
   • If you need to add the cause of an incident, use the Incident cause field to select the cause of the incident.

     If necessary, the system administrator can create, edit, or delete causes of incidents.

   • If you want to add an expert opinion based on an analysis of a registered incident, click the Edit expert opinion () icon on the right of the Expert opinion field. In the field that opens, enter the opinion, and press ENTER.

     The expert opinion will be added to the selected incident and will appear in the incidents table in the Incidents section.

   • If you need to add a note to an incident, enter your message in the Note field and click the Add note button.

     You can provide a message up to 512 characters long.

The status, cause, expert opinion, and note will be added to the incident and will be available to other users when viewing this incident.

When two or more similar incidents are detected, Kaspersky MLAD automatically combines them into a group. The group name is also automatically assigned in the format Group #N (N is replaced by the sequence number of the group). You can edit the group name, change the status of an incident group, and edit the expert opinion containing recommendations for analyzing similar events, for example.

To add a status and expert opinion to a group of incidents:

1. In the main menu, select the Incidents section and click Groups.
2. If necessary, change the incident group status by selecting one of the following statuses from the Status drop-down list: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore, or False positive.

   When changing the status of a group of incidents, Kaspersky MLAD changes the status of the incidents that are part of this group. By default, a group of incidents is assigned the Unknown status.

   If necessary, the system administrator can create, edit, or delete statuses of incidents.

3. In the incident groups table, double-click the row of the incident group.

   The Edit group window opens.

   You can also change the group on the Incidents tab. To do so, select the required group in the Group filter, and in the expert opinion section for the group, which is displayed above the incidents table, click the Edit button.

4. To change the name of the incident group, enter a new name for the group in the Group name field.
5. In the Expert opinion field, enter the text of the expert opinion (for example, recommendations for analyzing similar incidents).
6. Click the Save button.

The status and expert opinion will be changed for the incident group and can now be viewed by other users in the Groups table in the Incidents section.